PCI Community Meeting, 2014 standard

No snarky comments here ((Although, those were some fun times, use the search feature to learn more…)), and it’s time for the first of three community meetings starting tomorrow. These meetings have been going on every year since 2007 in Toronto, one year after the Council was formally announced. Even though my career has moved away from the life of a QSA, I have made every one here in the US, and several in Europe, some times as a QSA/ASV, other times as a Board of Advisor member, and finally as a sponsor. Last year, I wrote that 2013 was a pivotal year for PCI DSS. We got a new version of PCI DSS that has been controversial at best. ...

Continue Reading

Will this Band-Aid help? standard

You know when you get a paper cut in the webbing of your fingers? How many of you just shuddered at the thought of such a minor, but memorable malady? Now, think about one of the times that you got in there really deep and had to find a band-aid. Those normal ones just don’t work! You need a special band-aid with the butterfly flaps on it. Then you can get on with your day without spreading more of your DNA on everything you touch. With all these POS breaches (like Home Depot this week), we need to address a paper cut. The paper cut here is the POS system. We can describe them as two machines with different life ...

Continue Reading

August 2014 Roundup standard

We wrapped up the survival tips for young (and sometimes experienced) professionals series and got back to information security! While you are all still very interested in getting great customer service, my posts on the effectiveness of PCI DSS also made the rounds this time around. I hope this sets us up for a great discussion in a couple of weeks at the PCI Community Meeting in Orlando! Here’s what you folks liked the most last month: The Only Customer Service Script You Will Ever Need. The economy is humming along quite nicely. How do we know? Because people are getting poor customer service and reading posts like this one. Is customer service is less important now that customers are ...

Continue Reading

Guest Post: PCI Compliance Fees, Fines, and Penalties – What Happens After a Breach standard

The following is a guest post by Mark Burnette. You can reach him directly here. The PCI Data Security Standards are a set of rules designed by the credit card brands to enforce card data security. Though these are industry rules rather than laws, they can result in stiff fines and penalties for businesses, and even cost a business the ability to process credit cards. What’s more, these rules impact every business that collects, processes, or transmits card data – from mom and pop shops to retail titans. So what exactly happens to a business when it’s caught out of compliance? Fines and penalties Let’s say your business has suffered a data breach. First, the card brands will go to ...

Continue Reading

So, uh, is PCI DSS effective? standard

After the last post, I thought I’d describe some of the challenges with measuring the effectiveness of PCI DSS. Some camps argue it is absolutely effective because there has not been a compromise to date of an entity that was fully compliant with PCI DSS at the time of their breach. Others suggest extremely low compliance rates in certain groups of merchants indicate it’s not effective in helping the little guy. A few pick up headlines and just scream that it’s broken. An industry colleague of mine, Steve Levinson, is famous for a number of sayings. One he uses when faced with numbers that sometimes don’t make sense is: “There are lies, damn lies, and statistics.” While I know he ...

Continue Reading

Is PCI DSS Effective? standard

Another week, another breach. SuperValu is the latest entity to suffer a breach involving credit cards, and I saw a tweet over the weekend that inspired this post. It was along the lines of “I’d hate to be the guy who has to explain how PCI DSS is effective against breaches.” While there is some humor in the tweet, there is more than just the standard in play here. PCI DSS by itself is a good baseline for handling cardholder data. I’ve written articles, blogs, books, and given talks on the merits of PCI DSS ((If you are on the Council reading this, remember, I’m an on-record supporter)). PCI DSS also has flaws, compared to other compliance initiatives, that are ...

Continue Reading

Why won’t you change your password? standard

There was a very interesting post by Punam Keller last week on the HBR Blog Network on the psychology of passwords. This isn’t like the previous posts you have seen on this blog. While I tend to focus on the technical problems and ways around them, Keller explores the behavioral aspects of passwords and our general resistance to do what we all know is right. She highlights four attitudes that people have when it comes to passwords: People who don’t know they should change their passwords—most likely by intentionally ignoring information that indicates they should. People who know they should change it, but avoid doing it because they think password theft and misuse will happen to someone else. People who ...

Continue Reading

Locking your Door is a Bad Analogy for PCI DSS Compliance and InfoSec standard

Storytelling is a pastime that spans all of human existance. Famous stories like cultural parables or classics like Romeo & Juliet attempt to tackle complex or conflicting ideas and relate them to someone. We use it to pass information from place to place, to captivate audiences when delivering unexpected information (See TED talks), and to explain to a lay person why they should take some action. Pick a security standard or compliance initiative, and you will find hundreds of analogies that attempt to reduce their complexity to a tagline or short list of tasks. One in particular that is quite popular in the PCI DSS and information security space is comparing compliance with locking your front door. Of course you ...

Continue Reading

Consider the Hawthorne Effect for Big Data standard

The Hawthorne Effect is a term coined to explain inconclusive results from a set of studies performed at Western Electric Company’s Hawthorne Works on worker productivity from the 1920s and 30s. Essentially, researchers were confused with the productivity results from two specific parts of the study—changes in illumination levels and worker break time—which improved productivity only during the study. Workers knew they were being studied, thus improved productivity regardless of the changes implemented by the researchers. The Hawthorne Effect is used to describe positive results from research as influenced by the workers, not by the actual independent variables studied. Researchers today now work to reduce this effect through a number of ways, but it is still a tricky process. The ...

Continue Reading

Corporate Survival Tips for Young Professionals: The Roundup standard

Well, it’s been quite a journey over the last month or so! I hope that some of the things presented here are helpful. I’m happy if just one tip makes a change in your career! During my research for this series I found TONS of other bloggers who have posted information about some of these skills (many around politics and politically charged environments). I would encourage you to find more information on your own to further your skills. As a suggested starting place, check out this blog post by Jack Zenger and Joseph Folkman titled, The Skills Leaders Need at Every Level. If you need a quick reference to ALL of the posts in this series, use this link. Possibly ...

Continue Reading