Branden R. Williams, Business Security Specialist

The Perfect World standard

I was recently asked in a meeting of the minds to describe my view of the perfect world as it related to PCI DSS. For those of you who read my work often, you may notice a few themes that I continue to write about. I believe that security is a business problem and security professionals have historically done a poor job of quantifying information security risk in a manner that makes sense to a business person. In my perfect world, companies would understand the value of the information they use to drive their business, and they would protect or transfer risk accordingly. Sounds simple on the surface, but if you have been in business in the last five years ...

June 2011 Roundup standard

What was popular in June? It was iCloud, PCI Council fun with mobile payments and the updated prioritized approach document, and an older post that surfaced in the top five again this month around the quality of QSAs. Here are the five most popular posts from last month: iCloud Security Questions. WWDC unveiled some pretty cool new things from the overlords at Apple, but one of the most interesting to me was the unveiling of the iCloud service. Check my thoughts on some of the security concerns that must be addressed before you consider wide adoption. Updated Prioritized Approach. You cannot cookie-cutter PCI DSS, but if you see it as a crazy daunting task and are at a loss when ...

Audience Participation: Who wants stricter PCI DSS requirements? standard

WAY before I started serving my term on the PCI Board of Advisors, someone privy to the conversations once told me that the early discussions had people grouped into two distinct camps: Make PCI DSS more prescriptive and remove gray area! Remove some of the prescriptive nature of PCI DSS to allow people flexibility in meeting the standard! While I’m not at liberty to disclose conversations that happened two weeks ago, I’m wondering what the folks in the field think about a topic similar to this: should PCI DSS evolve to a stricter standard or more of a framework? After announcing our election to the board, I have had SEVERAL folks from varied industries and backgrounds give me words of ...

A Brief Word about PCI DSS and Mobility standard

Big news Friday as the PCI Security Standards Council released several documents reversing their temporary ban on SOME mobile payment applications for the PA-DSS list. Essentially, purpose built devices are allowed, others are not. Remember, as long as the device complies with PCI DSS in production, you do not necessarily need a PA-DSS certification to deploy it. It certainly helps the discussions with your QSA or Acquirer, but it is not a requirement. In fact, not all devices CAN comply with PCI DSS, so that should be your first step. Go back to my guide on how to make a mobile device comply with PCI DSS for more information on key areas you need to investigate. If you can install ...

Telephone-based Payment Security standard

Back in March the Council released an information supplement on the PCI SSC website entitled Protecting Telephone-Based Payment Card Data. Wait… MARCH you say? Brando, seriously, work on the timeliness of information. Yeah, yeah… I hear ya. I tend to post about things that I see in my daily experiences, and frankly, I thought we had the telephone-based payment problems solved based on the Council’s official FAQ 5362 on the topic. While the answer seems pretty complete to me, the PDF above also includes several other elements that may be useful to companies dealing with telephone-based payment issues. On Page 6 you will find a flowchart designed to help companies break down complex environments into a series of Yes/No questions. ...

PCI Board of Advisors, and Truncation Best Practices standard

Last week was the first PCI Board of Advisors meeting for the recently elected board set to serve through June 2013. While it was a very productive session, I will not be able to blog about much of the meeting. It’s that way by design (rightfully so). At some point, I’ll have a few additional guidelines to work within, but ultimately I signed an NDA as did my company, and I plan on honoring the terms of that NDA regardless of my thoughts about it. Just to clarify, I plan to honor the terms in the NDA that I signed, or live by the consequences if I don’t. But that’s not what this post is about. I’ve been an advocate ...

8th of June, 2011
In: Consumer Security, Enterprise Security
0
0

iCloud Security Questions standard

I admit it, I’m a fanboy. So on Monday, I was doing what I could to keep up with the WWDC Keynote. Unfortunately, that meant reading a live-blog between phone calls, but it got enough of the job done. I’m looking forward to many of the new features in Lion and iOS 5. One announcement that caught my attention was the new iCloud replacement/enhancement for MobileMe. From the website: iCloud stores your music, photos, apps, calendars, documents, and more. And wirelessly pushes them to all your devices — automatically. It’s the easiest way to manage your content. Because now you don’t have to. Preposition ending sentences aside, this is some pretty cool stuff. I’m already familiar with MobileMe as an ...

Herding Cats April, May, and June! standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, This Ain’t Yo’ Daddy’s Malware! I’ve also posted in Herding Cats section of the site, the April and May editions of the column. My sincere apologies for not putting those up here earlier, but those of you who are members of ISSA got to see them as they were published. Are you not a member? Well why not?! If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today!

May 2011 Roundup standard

What was popular in May? Poking fun at QSAs still showed up, and I’m working on some new ideas on the behaviors of QSAs for May. Hope to see you at EMC World! Here are the five most popular posts from last month: PCI DSS for the Small Office. Inspired by a reader (just email me your questions), I discuss how a small office should tackle PCI DSS. New PCI Board of Advisors Elected. Yep, looks like I get to contribute a bit! I’m now on the Board of Advisors representing RSA. Visa’s Chargeback Management Guidelines. Wondering how to deal with chargebacks? Check this document out for specific details on what you need to defend yourself (and more importantly, what ...

New PCI Board of Advisors Elected standard

The PCI Security Standards Council announced on Friday the new PCI Board of Advisors for 2011 and 2012. There are some familiar names on the list as some of these companies are in their third term on the board, and there are some new faces, namely RSA, the Security Division of EMC. I am the representative from RSA that will be participating on behalf of the company. This is something I am looking forward to, and for those of you that voted for RSA and me, I am grateful! I hope that I can live up to your expectations. In that note, if there are things you are interested in having me take to the board, I would be happy ...