PCI Community Meeting Reviews from the Field standard

While I was at the community meeting, I chatted with several individuals that had feedback on the conference, and here are a few nuggets distilled from over an hour of audio recordings: Council is getting better at understanding how reports are generated, but there still seems to be an inability to tie any given report back to the environment assessed. For example, was it scoped correctly? Were the controls assessed per the intent of the standard? Was the appropriate risk-based approach taken? CBT Requalification is convenient, but lacks the flowing Q/A that you might see in an interactive training course. May consider trading an in-person training (or interactive training) every so often as opposed to all CBT. Large variance among ...

Continue Reading

PCI Community Meeting 2011, That’s a Wrap standard

What was day 2 like at the community meeting? Lots more tweeting, lots more networking, and lots more info! First off, HUGE thanks to Gene Kim for being the most prolific twit, by far. Those present and not thank you! We started with the Verizon Data Breach Investigation Report review from Chris Novak. While the report is not new, Chris’s anecdotes that went along with the report solidified key findings for the group. Next the conference offered options. I opted for the PCI in Practice track with fellow board members Peter Cooper, Philip Morton, and Patrick Phalen. Each presented stories and strategies they used to bring their global organizations in compliance with PCI DSS. I enjoyed the session, and I ...

Continue Reading

PCI Community Meeting, Day 1 Observations standard

The first day of the event has been packed full of activities! First off, it’s been great to see everyone. Say what you want, but there are some very smart people in this industry and I really enjoy the conversation (even if it is over one of those silly Compliance on the ROC drinks). We opened the session with Bob doing that thing that he does, including a heartfelt thanks for the outpouring of support he had after missing the meeting last year. Then we saw Eduardo Perez jump up and do a quick update. My favorite quote from him is “Security has to evolve as new technologies emerge.” New technologies change the attack surface, and it seems like most ...

Continue Reading

Apparently You DO Need Assurance standard

I was going through some tweets last week and came across a tweet by @rybolov touting the most interesting blog post he will read all month about code scanning and regulatory capture. It’s from Mary Ann Davidson, the CSO of Oracle and entitled, “Those Who Can’t Do, Audit.” While I’m not an auditor (and never have been), I’ve performed many-an-assessment in my career so I thought I’d take a look at the re-purposed cliché titled post. The first thing you will notice is that the post really isn’t about auditors, it’s about static code analysis. If I can distill the meat of the post down (and cull the 2/3s that compose fat/rant), her point is that certain groups have created ...

Continue Reading

Herding Cats: Trust in the System (September 2011) standard

It’s September, and you know what that means! It’s time for another edition of Herding Cats! Last month’s, entitled “Walk that Walk,” is available here, and this month’s edition is titled Trust in the System. For regular readers, you might wonder why I am not talking about ISSA Connect and reading it over there. This month there was so much good stuff in the ISSA Journal, that my column didn’t make the cut. But I spent time writing it, and I’m not breaking my streak! DO take the time to go check out the articles on ISSA Connect this month, though, as there are quite a few great ones to comment about. Also, if you are not a member, join ...

Continue Reading

August 2011 Roundup standard

What was popular in August? I had some fun with Visa’s TIP program, and in fact, just made a final post on the topic (for now) yesterday. Merchants in the middle of technology upgrades have some decisions to make on what they deploy and how they choose to process payments. We also saw our first (that I have a record of) public revocation of a QSA’s status. Here are the five most popular posts from last month: PCI Coucil Revokes QSA Status (Finally?) It had to happen SOME time. With QSA popularity at an all time low, it looks like the Council finally took action against a QSA. See the details here, including some instructions on what to do if ...

Continue Reading

Last Word on the Visa TIP standard

The Visa Technology Innovation Program (TIP) is certainly stirring up all kinds of discussions in the technology community. I had an opportunity to get some clarification on exactly what these new changes from Visa mean for you, and wanted to summarize them here. Unlike the Compliance Acceleration Program (CAP) which used fines and interchange fees to motivate merchants, there is no true financial incentive to participate in the TIP… today. The closest resemblance to a financial incentive is the domestic and cross-border counterfeit liability shift. Merchants that cannot accept an EMV or contactless card when presented one by a customer will bear the liability of a fraudulent transaction instead of the issuer after October 1, 2015. The TIP mandates that ...

Continue Reading

More Problems with Averages standard

Math fascinates me—much more now than it did in school. I wish I had more interest in advanced math while I was in school because I feel like I would use it in my job. Part of the problem is the way that mathematics is taught, and for that I place part of the blame on my teachers during my formative years. Nobody cares about when a couple of trains would intersect. If the material was related to things that interested me at the time, I would definitely have enjoyed it more. I was reading an article from Harvard Business Review about the average cost overruns in large IT projects, and there was a figure thrown out about the average ...

Continue Reading

Is Visa Taking the Training Wheels Off of Security? standard

Step into the way-back machine with me and let’s turn the dial to 2000. What a glorious time that was! We were at the peak of what would soon be known as the DotCom Bust((Although poor corporate accounting practices had a hand in this one as well.)). Information security was this fledgling group in most companies that was called to clean up virus outbreaks. Then we weathered the storm. Markets crashed, IT budgets were slashed to the bone, and security professionals suffered too. We fought hard for every single dollar that came our way, yet we still were playing catch up. Now let’s forward to December 15, 2004, when the first release of the PCI DSS made its way into ...

Continue Reading

Visa Kills PCI Assessments and Wants Your Processor to Support EMV standard

Visa made a few new changes public yesterday on their Key Program Dates for their Cardholder Information Security Program. It’s been a Visa heavy month as we watch them push EMV here in the US. Two other posts you should read: Chip and PIN on the Way Why Visa’s TIP Doesn’t Matter (to you) Now, what did Visa announce yesterday? It looks like the Technology Innovation Program (TIP) is coming to the US. But as you already know (because you read the second post above), this doesn’t matter to you. From this release: Effective 1 October 2012, Visa will expand the Technology Innovation Program (TIP) to the U.S. TIP will eliminate the requirement that eligible merchants annually validate their compliance ...

Continue Reading