Branden R. Williams, Business Security Specialist

It’s Board of Advisors time! standard

Yep, this week is another fun filled meeting where I’ll load up on all things PCI DSS. While I can’t discuss the topics we will review, what I would like to do is two-fold: Reminder that we are in Phase 6 of the lifecycle for PCI DSS changes. This is the feedback review period that captures all the feedback you dutifully submitted back in April and allows the Council to mull changes to the standard. Expect an update at the community meetings in your neck of the woods. Ask if there is anything pressing that I should pass along to the Council while in these meetings. Constructive feedback is welcomed, and I’m happy to pass it along. Just leave it ...

PCI Requirements Review: Service Accounts and 3.6.6 standard

It’s time for the next of ten posts with a detailed analysis on a PCI Requirement! So far we’ve discussed PCI Requirement 4.1 and mobility, Sampling, and Patching & IPS. If you have a requirement you want reviewed, post it here! Today, it’s fun with a very specific interpretation, but I think we can cover this in a way that will be functional in most (if not all) modern setups. Now, on to our submitter: Requirement 3.6.6 – Specifically related to service accounts for applications where a human would have the service account password and the service account can then access the keys. There is are two security controls that we discuss in our critical control checklist that are missing ...

PCI Requirements Review: Patching & IPS standard

It’s time for the next of ten posts with a detailed analysis on a PCI Requirement! Last time we talked about PCI Requirement 4.1 and mobility. If you have a requirement you want reviewed, post it here! Today, it’s fun with interpretation around patch management and IPS. This isn’t a topic I’ve addressed before, but it is something I’ve debated with a customer. Now, on to our anonymous submitter: Some Host Based IPS vendors and QSAs are saying that if a host based IPS product can block any exploits related to a specific Microsoft patch (virtual patching), then the in-scope system does not have that specific patch applied within 30 days. Even if it SPT cc data! Hrm, interesting. A ...

PCI Requirements Review: Requirement 4.1+Mobility standard

It’s time for the next of ten posts with a detailed analysis on a PCI Requirement! Last time we talked about Sampling. If you have a requirement you want reviewed, post it here! Today, it’s all about requirement 4.1 and mobility. There are a couple of elements in play here. I’ve written about PCI DSS and mobility before and given tips on making a mobile application comply with PCI DSS, read this post. Now, on to the reader’s dilemma: Does mobile phone technology fall into [the classification] of public networks? I have ongoing arguments with an acquirer about whether a purpose-built mobile payment device, which they sold to us, can be assessed under SAQ B. The device uses cell phone ...

PCI Requirements Review: Sampling standard

Hey look, it’s the first of ten posts with a detailed analysis on a PCI Requirement! While this one isn’t specifically a numbered requirement, I do find that sampling is troubling. I’ve written about it before, and we used to have all kinds of fun in the assessment process with sampling. From the reader: Sampling methodology. The QSA has to validate that the sampled infrastructure is compliant with the requirements. However, time cost the client money which they don’t want to pay. They always go with the lowest price / proposal. How can the QSA convince the client that the sampling methodology used is aligned with the RoC reporting instructions? How can one QSAC propose 30 days to complete a ...

Security and Compliance in a Virtualized World standard

Are security and compliance hindering your ability to comply with PCI DSS or any other number of compliance initiatives? Check out this BUZZ Talk from EMC World where Paul Divittorio and I talk about how EMC does it, and how you can too! Description of the talk: As you move to adopt virtual infrastructure solutions to reduce costs and improve IT operations, make sure you understand the security implications of virtualization. The good news is—virtual environments can be more secure than their physical counterparts. It’s time to separate fact from fiction. Let’s discuss your experiences and what we’ve learned from EMC IT’s own virtualization story. Watch the video here! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt ...

May 2012 Roundup standard

What was popular in May? We had Facebook all over the news (again) with its IPO woes, including lawsuits and 30% of the value of the stock eroded, the Call for Papers for RSA Europe closed, and RSA China opened, EMC World festivities in Las Vegas, and a whole host of product announcements to boot! Here are the five most popular posts from last month: Visa Kills PCI Assessments and Wants Your Processor to Support EMV. Another month, another winner! Is this the end of PCI Assessments? Visa threw out some timelines and program details last year that you need to know about. Top 10 PCI Requirements for Interpretation. I haven’t quite gotten ten yet, but I’ll start working through ...

Data as a Gravity Well standard

Las Vegas hosted one of EMC’s premier events, EMC World. While this show is primarily IT focused, RSA (the Security Division of EMC) makes a presence every year. This year was my second to attend, and even though the location was the same, there was a big difference in this year’s average IT attendee—they showed a tremendous interest in Security! In fact, our booth at EMC World was PACKED on Monday evening. We nearly hit our goal of visitors for the whole show on the first day! Security and compliance had a track in the breakout sessions, and if you went to Sanjay’s keynote, you may remember our CISO getting up on stage to talk about some of the security ...

Where is your first line of defense? standard

I recently attended a fantastic roundtable put on by Financial Times in New York and as I’m sitting listening to a group of folks that specialize in anti-money laundering and fraud, one person stated that people detected the vast majority of fraud or money laundering with tools playing a supporting role. By itself, this seems to be a bit damning toward the technical sector essentially stating that they aren’t any good at detecting fraud. Or at least their tools aren’t any good. But technology has always played a catch-up role when compared to human intuition. It could be simple things like highlighting the right statistical inconsistencies for analysts or complex things like playing chess against the world’s best, but we’re ...

Guest Post: Will the new QIR Program Move the Needle? standard

The following is a guest post by Steve Levinson, PCI Goon. You can contact him here. The PCI (Payment Card Industry) Council (PCICo) has pointed their elbow in the direction of those responsible for installing payment applications. PCICo issued a press release yesterday announcing the PCI Qualified Integrators and Resellers (QIR) program. The QIR program is designed to improve the quality of the integrator/reseller community often tasked with installing and maintaining payment systems. Is this the silver bullet we’ve been waiting for? According to the release, the PCI Council is in the process of rolling out this program to train and certify software resellers and system integrators. The Council will list those certified organizations and individual employees on their web ...