Branden R. Williams, Business Security Specialist

Why Visa’s TIP Doesn’t Matter standard

On Thursday, I posted about a memo released by Visa, Inc. last week discussing the acceleration of EMV adoption. There is much buzz going on right now as merchants now have a false sense of hope. PCI Assessments aren’t going anywhere any time soon. Why? One of the fundamental rules about PCI DSS is that you are dealing with five competing payment brands that handle their own enforcement. This means that as a merchant you can be a different level with a different payment brand, which may or may not affect how you validate compliance. A move by any one payment brand does not necessarily represent all five brands, nor does it guarantee that you will see the effects in ...

Chip and PIN on the Way standard

Here comes EMV Cotton tail, hoppin’ down the PCI trail, Hippety hoppety, EMV’s on its way! While crammed in the back of a cab last night I flipped through some stuff on Twitter and found this post by Adrian Lane on Securosis describing Visa’s chip migration acceleration. Now that I am actually back in front of my computer and not bouncing around in the back of a PT Cruiser (the BACK back), I wanted to elaborate on how this impacts cardholders and merchants. If you read his post, you will learn some of the motivation for accelerating the change, but you miss a couple of key points. Chip and PIN doesn’t work if the card in your wallet doesn’t use ...

Will Service Suffer? standard

It’s weeks like this last one that I am glad I am not a market maker or securities broker. I doubt my ticker could survive the roller coaster ride of highs and lows over the last three years. But what happens with service as the economy falters? Let’s just say that this recent string of declines forces some businesses to continue to wring cost out of their business. That means that once again, the cost centers of business will be asked to do more with less. Cutting heads, moving employees to lower cost geographies, and removing investments for continuous improvement take their toll on the employees, which then trickles down to customers. Between appointments last night, I flipped on Undercover ...

The End of Subscriber Privacy standard

I’m not sure if anyone actually believes in internet privacy anymore, but what little we may have had may now be completely eroded thanks to a new bill in the US House of Representatives, Protecting Children From Internet Pornographers Act of 2011 (H.R.1981). If the bill in its current state becomes law, internet service providers must maintain the following subscriber data for a period of 18 months: Names Address(es) Temporarily-assigned IP addresses While this measure does not aim to maintain detailed activity logs of subscribers, it is designed to be a point of reference for companies to trace actions to individuals. For example, if a temporary IP address of a home internet subscriber is found to be used in an ...

July 2011 Roundup standard

What was popular in July? It was an Apple friendly month with more iCloud discussions, Lion, replacing my iPhone, and polls about a stricter PCI DSS. We also saw some mobile payment applications make their way back onto the PA-DSS approved application list, and a flurry of discussion around social media, mostly centered on Google+. Here are the five most popular posts from last month: Security Tips for Non Techies. What is it that you do again? The truly brilliant among us can take our complex jobs and describe them to non-techies in words they understand. But how do you explain the WHY and HOW in simple terms? Don’t fret, DHS did it for you. Learn more here! Audience Participation: ...

Herding Cats July, Breaches Can’t Happen to Us standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Breaches Can’t Happen to Us. This one was fun for me as it follows a common theme you can expect from Ol’ Brando, the business end of security. Most security professionals have not had any sort of business training, or with some I have met, really give a flying futon about business. Before you go ask for more money in your budget, you should read this article. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up ...

Using Transaction ID for Payments standard

Where is it in your strategy? Each payment brand calls it something slightly different but they all have something like this now. Every transaction pushed through their network can now be identified with a unique transaction ID. With PCI DSS continuing to be a significant burden for merchants to handle, I can’t think of a better time to consider alternative methods for handling cardholder data after authorization. Merchants have many options when it comes to PAN replacement options. When it comes to tokens, there are typically two different options you might choose—either per-transaction tokens or per-card tokens. Merchants that want to perform analytics on purchasing behavior using just the payment card itself as a way to track purchases should go ...

Security Tips for Non-Techies standard

One of the most challenging things that I regularly do is explain my job and career choice to non-techie users. Ask my Mom what I do, and you might get one of the blankest stares you have ever seen thrown right back in your face. In fact, I think this general lack of security knowledge among users contributes tremendously to the success of attacks against consumers. How else do we have millions of drones waiting for commands on unsuspecting users machines? I’ve heard the following from family members before: But I bought an anti-virus program three years ago! Why do I have to pay for it every year? But I had to disable the security settings so I could play ...

The Perfect World standard

I was recently asked in a meeting of the minds to describe my view of the perfect world as it related to PCI DSS. For those of you who read my work often, you may notice a few themes that I continue to write about. I believe that security is a business problem and security professionals have historically done a poor job of quantifying information security risk in a manner that makes sense to a business person. In my perfect world, companies would understand the value of the information they use to drive their business, and they would protect or transfer risk accordingly. Sounds simple on the surface, but if you have been in business in the last five years ...

June 2011 Roundup standard

What was popular in June? It was iCloud, PCI Council fun with mobile payments and the updated prioritized approach document, and an older post that surfaced in the top five again this month around the quality of QSAs. Here are the five most popular posts from last month: iCloud Security Questions. WWDC unveiled some pretty cool new things from the overlords at Apple, but one of the most interesting to me was the unveiling of the iCloud service. Check my thoughts on some of the security concerns that must be addressed before you consider wide adoption. Updated Prioritized Approach. You cannot cookie-cutter PCI DSS, but if you see it as a crazy daunting task and are at a loss when ...