First Impressions of the PCI DSS 3.0 Draft standard

OK folks, if you are a participating organization, or some other kind of stakeholder, you should now be able to grab the latest draft of the PCI DSS for the upcoming 3.0 revision. If you are not some kind of stakeholder, you can still get a copy but you have to be a little more sneaky. I have found copies outside already that are available if you know what to do. Now, before someone from the Council get’s all worried, I’m not at liberty to actually disclose what is inside PCI DSS 3.0. Even though I was given multiple copies outside of my current relationship with the Council, I’m going to stick by my agreement and only talk in general ...

Continue Reading

Mobile Payments Acceptance Security Best Practices Updated standard

Visa has a pretty extensive document library of stuff to help folks cope with some of the threats in the system, and yesterday they updated their Visa Best Practice, Mobile Payments Acceptance Solutions to v3.0. While these are still considered best practices, they are a great starting point for anyone with a mobile payment component to their business. One of my more popular posts is How to Make a Mobile Payment App Comply with PCI DSS, so I know many of you are looking at this. Take this in combination with the Starbucks app, and there is lots of interest. Keep in mind, my original post was really talking about the bare minimum as a way to get around the ...

Continue Reading

Introducing SlideZip! standard

Hello Internet! I had an idea for a product last summer to help with my presentations. I wanted to find a way to allow people to easily and quickly get access to the presentation materials (and other stuff) while keeping the conversation going after I left the stage. Gene Kim and I discussed a number of options, and within a few hours I had something crude cobbled together. Folks at my talks could get the slides by sending a quick text message to an address, and BAM! Slides in their inbox! It worked great for me, but required too much customization to be actually useful. In February after I left RSA, I decided that it was time to re-learn Ruby ...

Continue Reading

July/August 2013 Roundup standard

You forgot a month, yo! Yeah, sorry about that. So what was popular in July and August? It’s summer, but you know it’s been pretty mild over here! I’ve been traveling again as I have a new gig, and I met all of my classmates again as we are aiming to accelerate our programs (right now, I’m two quarters ahead!). It’s the kickoff of fall conference season soon, so I hope to see you guys on the road. Here are the five most popular posts from the last two months: How Starbucks is Revolutionizing Mobile (Micro) Payments. Guys, something is going on here. I don’t know if there is just a heavier push to mobile right now or what, but ...

Continue Reading

Visa Updates Memory-Parsing Malware Warning standard

Visa released a public update to their Memory-Parsing Malware Warning yesterday bringing forward signatures and IPs from their original alert in April based on recent activity. This very effective technique can present itself leveraging commonly used debugging techniques for software. Essentially, this malware will access a few readily available routines to hook into the memory in a way that allows them to access and export full track data. So all of you folks who told QSAs like me this would never happen in a million years (this was a constant conversation from 2004 to 2009), baZINGA. Now that we have bazinga’d, let’s focus on how to prevent this from happening. Remember that post I did a while back about the ...

Continue Reading

Hurry Up and Wait, PCI DSS 3.0 standard

The PCI Council announced some highlights to the upcoming changes to PCI DSS 3.0. Here’s an article from TechTarget with comments from Bob & Troy that you might want to check out as well. The Council’s press release and available documentation does give us some insight into what they are thinking with respect to the changes, but as is with most things PCI, the devil will definitely be in the details. Based on the doc, here is a quick good/questionable list of these changes: The Good: Scoping is always an issue with PCI DSS, and now there is a formal requirement to maintain an inventory of system components that are in scope. Frankly, I don’t know how you could manage ...

Continue Reading

The Art of the Interview standard

Yes, I know. There are some cobwebs around here. Don’t worry, I’m working on clearing those out. I’ve finally taken a position with a company and have been buried with all kinds of great stuff. More on this soon! But in the meantime, I found an article in the ISACA Journal from Tommie Singleton entitled, “What Every IT Auditor Should Know About Using Inquiry to Gather Evidence.” If you are in the information security business and have to deal with assessing or auditing, do yourself a favor and take ten minutes to read this article. This technique is what separates the pros from the newbs in our industry. If you have worked with me in the past, you probably remember ...

Continue Reading

Summer Conference Season is upon us! standard

Next week many of us descend into the hotness that is Vegas in July/August to head to BlackHat, BSidesLV, and Defcon. I’ll be there for BlackHat and hope to see you too! I’m available to catch up on Wednesday and Thursday. And don’t forget, that while one conference is in full swing, others are getting geared up. Have you submitted your RSA Conference 2014 proposals yet? They are due Friday (unless the deadline is extended, which it usually is)! I’ve got a few that I am working on, so hopefully the committee will see fit to have a couple added to the program. And don’t forget that we have the PCI Community Meeting in a couple of months as well. ...

Continue Reading

June 2013 Roundup standard

Why not use that awkward day between a holiday and the weekend to discuss what was popular in June? Summer is here, and boy does it show. No, not the heat, the amount of geopolitical events we had last month (and this one)! The PCI Council seated its new Board of Advisors last month, I wrapped up another quarter of school, and I got to tour some awesome behind the scenes stuff at my home airport. Here are the five most popular posts from the last month: The Only Customer Service Script You Will Ever Need. OK, maybe it’s a sign that I have hit on a few key points. Four of the five here are bigtime repeat customers. Is ...

Continue Reading

A Fun Day with American Airlines standard

It’s no secret around this place that I travel a little. You know, just a few thousand miles a year. Since I live in Dallas, I have two major choices for airlines—either Southwest or American Airlines. I have flown both, but my preferred carrier (by far) is American. In fact, my family has a great traveling legacy with American Airlines. I have flown on almost every single type of plane that American has had in their fleet since the 1980s, including several that are no longer in service (DC-10, Boeing 727, and Fokker 100). I can remember standing outside my dad’s office as a kid learning from him and others every kind of plane on approach to DFW runway 17C. ...

Continue Reading