MasterCard Releases Mobile POS Best Practices standard

Mobile POS is becoming a hotter topic as more vendors create hardware designed to leverage smartphones and tablets. To this end, MasterCard released a fantastic document detailing the Best Practices for Mobile Point of Sale. I have written before about how to make a mobile payment application comply with PCI DSS, and this document really goes into the details of the payment stream, the acceptance types, and great detail into the challenges and solutions for mobile payment acceptance. This document isn’t just for people who are considering mobile payment acceptance; every merchant should read this as someone in your organizations is already thinking along these lines (and maybe even piloting equipment). This is a key reference for me and I ...

Continue Reading

The Phoenix Project, a Novel for Today’s IT Professional standard

Today is a great day for aspiring (and perhaps current) IT leaders as The Phoenix Project by Gene Kim, Kevin Behr, and George Spafford is now finally available and shipping. If you are in any way connected to anything related to information technology, this book should be on your reading list for Q1 2013. I read the final manuscript in a matter of days and could not put it down. This book is modeled after the iconic manufacturing title, The Goal. But instead of an overweight scout causing an enlightening view into the theory of constraints (poor Herbie), it’s a failing IT department in a business outpaced by competitors. All of the classic themes of today’s IT issues are explored ...

Continue Reading

Flick-through Friday! standard

Sorry, that was the closest thing to alliteration I could get to for this blog. It’s Friday! How’s everyone doing after their first full week back? Other than the circus of CES 2013, things at Oracle have to be a little tense with this newly discovered massive hole in Java. I do have a couple of reading suggestions for you today as you close out the week. What has two thumbs and finally updated his Herding Cats page? THIS GUY! Man, I’m sorry about being so slow with this. No excuses. But now every issue is available, including the ones from May to this January that are now live. Go see if you can find the title that made my ...

Continue Reading

Deceit as a Defense standard

An information security professional’s job is becoming more like military defense every day. We are charged with battling on multiple fronts, typically without enough resources to do the job well. Yet, our creativity can serve us well in defeating any number of attackers before they steal our goods. Now we have another great example of a company taking military defense techniques to a new level and leveraging deception in their daily process. Keep in mind, deception of this level is much different from throwing a honeypot on your network and waiting for a low to mid-level hacker to stumble upon it. This is the kind of deception designed to confuse even the most sophisticated bad guys by using one of ...

Continue Reading

Top Posts of 2012 standard

It’s holiday season and things are coming to a close for the year. It was an interesting one, for sure! I wanted to take a few minutes to tell you about some of the top posts in 2012. Ever wonder what will probably cause you to have a breach? This post discusses the top five reasons why PCI DSS breaches occur. This year I offered a detailed review of specific requirements (I’m still willing to do this if people have specific ones they want reviewed… email me), and here is the top one. The debate on PCI DSS often focuses on things we need to add to the standard, but I suggest that there are things we can remove. Check ...

Continue Reading

Free PCI Book Giveaway! standard

OK folks, our PCI Compliance book has been out for a few months now, and Anton & I thought it would be fun to give away second copy with another contest! We have assembled a group of three independent judges who will look at the submissions and pick winners for each competition. The winner will receive a free, signed copy of the book! In fact, it would be one of those rare “dual-signed” copies with both of our signatures (and the book will have to travel from TX to CA – or from CA to TX – for this ) So, on to the second contest (first one). Our book attempts to draw a middle line between the black & ...

Continue Reading

IDC Releases Alarming Trends for the Digital Universe standard

Nobody disputes the growth of digital information over the last decade enabled by technology developments in storage further put to use in the hands of consumers. We all create content every day; and as the phones get bigger and better processors, cameras, and radios, we can expect this to continue. To put the growth of digital information into perspective, think about how painful it was to download a thirty second HD movie clip five years ago or an entire music album ten years ago. Now we do it on our phones or tablets without thinking about it (until that data-bill comes in!). IDC released a study today (in conjunction with EMC) projecting that the digital universe will be so large ...

Continue Reading

November 2012 Roundup standard

What was popular in November? It was the month of the mustache! Ron Burgundy and Ron Swanson certainly set the bar; how did you fare? We saw the kickoff of the retail rush here in the west as well as some interesting new developments on both the virtualization  and the game theory fronts. Here are the five most popular posts from the last month: PCI Compliance Book Giveaway! Did you get your story in? Probably not as we only had four stories to choose from! We did pick a winner, and will be announcing soon. PCI Council Releases Risk Assessment Guidelines. Its the latest output from the 2011-2012 SIGs and it’s available for you! Go see why this may or ...

Continue Reading

The CNP Fraud Cliff standard

It seems like we’ve heard the word “cliff” overused recently to describe a number of doom and gloom situations from an HBR article describing Novartis’s “Patent Cliff” to the impending “Fiscal Cliff” here in the US. Well, since cliff talk sounds like fun (and includes other fun words like crag, precipice, and aerie), I thought I’d discuss another impending cliff here in the US that is only a few years away. This cliff shows up as a direct result of the deployment of EMV, and we’ve seen it in many other locales. It’s the Card-Not-Present (CNP) fraud cliff. Earlier this year, King (2012) released a compilation of information discussing Chip and PIN’s impact to fraud in a number of global ...

Continue Reading

The Biggest Thing The PCI Council Can Do standard

The PCI Council has been pretty influential in our lives since its inception on September 7, 2006. They were handed control of the PCI Data Security Standard and have turned it into a cascading group of standards that govern (or recommend controls) for nearly every aspect of payment acceptance and processing. So it almost seems like this PCI problem is sort of solved, doesn’t it? When you look at the PCI DSS ecosystem, many of the big rocks have already been addressed. This has some interesting side effects, one of which is a camp of merchants that have been hounded to get compliant (Levels 1-3) and a mass of merchants that have no clue about PCI DSS until they are ...

Continue Reading