Branden R. Williams, Business Security Specialist

Visa’s Chargeback Management Guidelines standard

Visa released an interesting PDF yesterday entitled Chargeback Management Guidelines for Visa Merchants. Don’t be turned off by the stereotypical graphic on the front page, there is some good stuff in there for ALL parties involved, not just Merchants. QSAs should read this document to provide a better service to their customers if for nothing else than to see practices from a Non-US centric view. The document starts out with a great review of how payment systems work from the initial presentation of the payment instrument to a monthly bill showing up at the cardholder’s door. Granted, this is a document from Visa, so it has Visa branding and marketing all over this thing, but GENERALLY the process is similar ...

PCI DSS for the Small Office standard

Before I jump into this topic, have I told you lately that I LOVE reader email? REALLY love it. Why? Because it gives me ideas on content to bring to you! If you have a question or idea for a post, please contact me! Now, on to the goods. A reader asked me about compliance in a small medical office situation. How should someone approach it? You probably got a letter from someone with a Self-Assessment Questionnaire, and you are unsure what to do! Here are a few things to consider: What Level Merchant are you? If you are a level 4, you do not have any mandatory reporting requirements per Visa, MasterCard, and Discover, but your processor or acquirer ...

Wait, we did something right? standard

Where have I been? Certainly not here! I’ve been on a little bit of travel to Asia and Australia and spending time with security professionals both inside and outside my company. I also tried the Tim Tam Slam for the first time, and videoed it. Enjoy. In my travels over the last two weeks, I am learning that the security market here tends to be more focused on shiny tools than security process. Someone even made a statement about the maturity of the US around information security and how much more mature it is than what they are dealing with. I was a little shocked, actually. It’s pretty rare that you hear that kind of praise outside of the US. ...

April 2011 Roundup standard

What was popular in April? Poking fun at QSAs still showed up, and I’m working on some new ideas on the behaviors of QSAs for May. Hope to see you at EMC World! Here are the five most popular posts from last month: How To Make A Mobile Payment App Comply With PCI DSS. I had this idea after the PCI Council stopped accepting mobile payment applications, but didn’t have time to put it together until now. It is possible to use a mobile payment application in a PCI Compliant environment! The Lack of Understanding in QSAs. Top five for two months! The statistics are getting interesting. Some reports suggest that HALF of the QSAs trained in 2010 were new ...

22nd of April, 2011
In: Consumer Security, Enterprise Security
0
0

Does Security Impede Innovation? standard

Depends on who you ask, I suppose. In my experience as a security professional I have seen some security organizations in big companies that were so well oiled that patches could be rolled out in a few days after release without any impact to the larger organization. I’ve also seen some that were virtually non-existent—victims of poor leadership or political agendas. Most programs I see fall somewhere in the middle of that continuum, but for the most part are not as functional as they could (should) be. Therefore, in those companies, information security is seen as an impediment to innovation and creative people find ways around them. Imagine for a minute that you were a data center manager looking to ...

How to Make a Mobile Payment App Comply with PCI DSS standard

The PCI Security Standards Council recently made news when they announced that they would no longer be accepting mobile payment applications for PA-DSS compliance consideration. This means that vendors looking to certify new mobile applications or devices are now left in the lurch. But we have to dissect this rather knee-jerk reaction (see, there I go again) by the Council to understand exactly their intent. What they said was: “No mobile payment applications used by merchants to accept or process payment for goods and services would be approved or listed as validated PA-DSS applications unless all requirements can be satisfied as stated… Until it has completed a comprehensive examination of the mobile communications device and mobile payment application landscape, the ...

How Deep is Deep Enough? standard

After my last post on the Lack of Understanding in QSAs, Brad emailed me and asked how much a QSA or ISA should look behind the curtain for someone like an Iron Mountain (analogy used in the post). I feel like a bad consultant/blogger because I only pointed out a problem, but didn’t point out a solution. It’s OK though, I’m over it now. How deep is deep enough? Here is a basic guideline: Is the service provider currently on the PCI DSS Global Registry of Service Providers, and is their listing current? If so, I think most QSAs would look at how the data is handled prior to the handoff, make sure that the handoff and contracts are compliant ...

Neutral vs. Agnostic standard

I am not a grammar expert. Did you see that? If you didn’t start this post over because that first line is important. I do write often and I have a particular style that I like to follow, but most importantly, I am a student of the English language and not an expert. THAT SAID… There are certain things that people do that really grind my gears. I think it has to do with being granted access to a thesaurus too early in life, or lazy students aiming for a minimum page count. Regardless, the result is the usage of certain words to sound smart even though their usage makes you sound dumb. Today I want to cover a word ...

March 2011 Roundup standard

What was popular in March? This month was rather light as my travel schedule was a bit hectic. But I’m working on some great stuff for you this month! Here are the five most popular posts from last month: The Lack of Understanding in QSAs. The statistics are getting interesting. Some reports suggest that HALF of the QSAs trained in 2010 were new QSAs. I’m all about fresh blood, but at some point you might need some experienced folks, right? RIGHT? Bueller? I Don’t Need to Know, I Can Look it Up. Sure, storage is cheap nowadays, but why do we insist on keeping every single piece of data that our business comes across on any given day? Is that ...

The Lack of Understanding in QSAs standard

This topic seems to keep coming back, and it’s getting more frequent. I mentioned this as an element of Sin #2, Compensating Control Chaos in my recent paper, and more companies are coming to my team to help them through an inexperienced QSA’s assessment. The worst part is that it is a self-fulfilling prophecy. If you squeeze the dollars you pay a QSA, they will squeeze the quality and thoroughness of what you are getting. It’s been a while since I have performed an assessment from start to finish. That said, I’ve seen people ((Meaning me.)) guilty of assuming that an Iron Mountain truck seen near a company’s data center equals secure off-site transport and tracking of goods—no questions asked. ...