Hosed by Codeshares AGAIN standard

Yep, a little bit off topic, but that’s why I have a Diversions file! Some of you may remember a post I did for all of your frequent fliers a couple of years ago about some travel trouble I was having with airline tickets purchased as codeshares. In all fairness, this isn’t just an issue with one particular airline (although I did discuss my experience with AA/BA). Here’s what happened today. I was finishing up my tour of Ireland a bit early and wanted to stand by on an earlier flight. With BA, you can do this if you have any status at all including honoring OneWorld levels. BUT! Only if you have a BA marketed & operated ticket. So ...

Continue Reading

Missing Mobile is Like Watching the Puck Fly By standard

Thanks to Andrew Hay for a retweet that I happened upon last night! Keli at Bluebox Security did a post entitled PCI DSS Ignoring Mobile Security is Irresponsible that discusses some of the implications of the Council’s lack of guidance and standards around this emerged (it was emerging five years ago) technology. While many security professionals agree that leaving mobile problems alone to fester is irresponsible and doesn’t do any service to the merchant implementing it, I wanted to take a slightly different take. To me, a better metaphor describing the situation is someone holding on to their VHS player because they might find that one tape of Dirty Dancing they bought twenty-five years ago. Everyone loves that scene where ...

Continue Reading

PCI DSS 3.0: The Good, The Bad, The Confusing standard

If you have not grabbed your copy yet (or had one emailed to you, as it were), go here to get your very own. As we expected, there are a number of important changes that companies will be dealing with over the next several months as they begin to prepare for PCI DSS 3.0. In this post, I wanted to do a quick highlight of some of the more critical changes now that they are public. If you want to read some of my earlier reservations, they all stand with the final version. Let’s dive in. Periodics and shoulds: Yes, these are now a massive shift in the Council’s position toward ambiguity in the standard. Periodic now appears 20 times ...

Continue Reading

September/October 2013 Roundup standard

Again, with the forgetting of the months. So what was popular in September and October? Wow, lots of crazy stuff. First, we had the PCI Community Meeting for North America in Vegas. My company threw a great party on Wednesday night, and given it is a release year there was a ton of activity around the event. I would argue that not nearly enough time was spent on the Q/A portion (1 hour each day for 2 days). Then we had RSA Europe in Amsterdam and the PCI EU meeting in Nice. Josh Corman gave a great keynote at RSAC reinvigorating the focus on DevOps and information security. I also gave a talk on leveraging Lean & Kanban in information ...

Continue Reading

Have a free month of SlideZip Unlimited! standard

Yep, we just pushed some fun new features to SlideZip, so I figured that we could create an offer to celebrate! Right now, the first 20 people to upgrade to an Unlimited account can get a free month with this coupon code: FreeMonthOct2013. Free is great! Also, we now have support for conferences (with multiple logins which could be for separate tracks or satellite locations)! Possibly Related Posts: pgMail 1.5 Released! Let’s Encrypt for non-webservers When Man Pages Go Weird Aviation Apps I Use Sellers Buying 5-Star Amazon Reviews

Continue Reading

EMV vs the UPT, Can We Fix the #FAIL? standard

Update Nov 4, 2013: I was in the UK last week and it looks like the Underground has fixed their terminals to allow the use of the chip at a UPT! This is great news. My guess is there is some upper limit to what can be accepted without signature and it is now implemented. Well, it has struck again. Remember how I told you guys about some of my EMV experiences now that I have a card with the chip in it? Well, it struck again… but not in the place y0u might think! I’m here in Salt Lake City, Utah, and I decided to take advantage of the lovely public transit (UTA) by hopping on the light rail ...

Continue Reading

PCI DSS and the Partial Vacuum standard

Earlier this week I posted some thoughts I had about the newly released draft. Unfortunately, I couldn’t give you guys the actual analysis that both I and folks in my company performed (though, if you become a customer of my company, and are already a PO I am certain we can present something to you). Why? Because the Council still is treating this as a pay-to-play community without thinking about the broader impact to the ecosystem. The folks who frame the standard are some smart, experienced people. I’ve met and worked with all of them in varying capacities, and their job is incredibly challenging while being completely thankless. If you think about how things work in their world, they are ...

Continue Reading

Managing Vulnerabilities to Closure standard

Edit: Merge.io is no longer, however, will keep this up as part of the discussion around vulnerability management. I’ve been known to say that vulnerability detection is easy—it’s vulnerability management that’s hard. There are too many tools available today that can tell you everything that is wrong with your security posture. The real work comes in finding the root cause of the issue, permanently eradicating it from your environment (as in changing configuration servers, patching gold builds, dealing with sleeping physical or virtual instances), and validating to everyone who wants to know that you were successful in doing so. Time and time again, my customers complain about the challenges associated with getting clean vulnerability scans. In fact, that might be ...

Continue Reading

First Impressions of the PCI DSS 3.0 Draft standard

OK folks, if you are a participating organization, or some other kind of stakeholder, you should now be able to grab the latest draft of the PCI DSS for the upcoming 3.0 revision. If you are not some kind of stakeholder, you can still get a copy but you have to be a little more sneaky. I have found copies outside already that are available if you know what to do. Now, before someone from the Council get’s all worried, I’m not at liberty to actually disclose what is inside PCI DSS 3.0. Even though I was given multiple copies outside of my current relationship with the Council, I’m going to stick by my agreement and only talk in general ...

Continue Reading

Mobile Payments Acceptance Security Best Practices Updated standard

Visa has a pretty extensive document library of stuff to help folks cope with some of the threats in the system, and yesterday they updated their Visa Best Practice, Mobile Payments Acceptance Solutions to v3.0. While these are still considered best practices, they are a great starting point for anyone with a mobile payment component to their business. One of my more popular posts is How to Make a Mobile Payment App Comply with PCI DSS, so I know many of you are looking at this. Take this in combination with the Starbucks app, and there is lots of interest. Keep in mind, my original post was really talking about the bare minimum as a way to get around the ...

Continue Reading