PCI Board of Advisors Voting Open! standard

If you are a participating organization or other stakeholder in the PCI Security Standards Council, you should have received your voting ballot for the next Board of Advisors today. RSA is listed as one of the vendors, and I hope that we contribute enough value to the security community to be considered one of your top three! Voting closes on Friday, April 8. Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Continue Reading

Herding Cats February and March standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, The New Network Security Paradigm! You can also see the column from last month, Alice, Bob, and Chuck, paying homage to the RSA Conference’s 20th anniversary! I also published a more corporate friendly version of The Seven Deadly Sins of a QSA (the too hot for TV version is here). This month’s column discusses the changing IT paradigm corporations must support as consumer-marketed technology becomes a bigger player in the corporate world. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are ...

Continue Reading

February 2011 Roundup standard

What was popular in February? This month I concluded my new piece, The Seven Deadly Sins of a QSA! You can download it below. We also had the 20th Annual RSA Conference in San Francisco this year. It was probably the best RSA Conference I have attended since I started working the show five years ago. Here are the five most popular posts from last month: Visa Allows Non-US EMV Merchants to forego PCI Assessments. This was an interesting move by Visa. Essentially, Visa has given merchants a way to avoid the annual assessment process if they meet four critera. Check out this article to see if you can qualify! Keep in mind, if you accept other non-Visa branded payment ...

Continue Reading

Security as a Service ≠ Securing the Cloud standard

What a week! The 20th RSA Conference is over and it was great to see the masses back out at the Moscone again. I don’t think it’s been this big in a while, but if the parties are any indication, companies are spending money again. I want to say congrats to all the Social Security Blogger Awards nominees and winners! The selection committee did a great job this year selecting a group of absolutely fantastic individuals. Also, thank you to Securosis for putting on the Disaster Recovery Breakfast. That was much needed, and it also was a place for Anton & I to plan out the 3rd edition of our book! Wait until you see what we have in store ...

Continue Reading

Dave Hogan Leaves the NRF standard

Yep, it’s true. Looks like Dave is moving on for a more “traditional industry position.” In honor of Dave leaving his long tenure, I wanted to revisit my favorite five posts about Dave Hogan: Why the NRF is Dead Wrong The NRF Goes Past Where the Sidewalk Ends The Blame Game Review of PCI Congressional Hearing For the Record, I Love Dave Hogan! Blue skies, Dave, and enjoy! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

Seven Deadly Sins of a QSA (THE END) standard

QSAs are human, and humans make mistakes. Over the last several posts we have discussed seven deadly sins committed by QSAs, shown examples of what those mistakes look like, and given you guidance for how to avoid them or navigate your way through them if you find yourself in the middle of one. If you must comply with PCI DSS, one of the best investments you can make in your people is to put them through the same training QSAs go through and have them certified as Internal Security Assessors (ISAs). This way, you will have an additional check to know if a QSA is making one of these (or other) mistakes and have a chance at catching them before ...

Continue Reading

Seven Deadly Sins of a QSA (Part 16) standard

Sin #7 – Bowing to Threats about the Future Remember when we discussed consulting being a people business? The last sin we will cover is actually one that can be committed by either party. Maybe more accurately, committed by the QSA, but enabled by the assessee. QSAs sometimes give in to someone who says, “If you don’t mark this as compliant, I am giving my business to someone else.” I’m not talking about a contract issue or some other incidental dispute during the assessment, I’m referring to the rigor of the assessor being used as a bargaining chip. It’s My Way or the Highway As an assessor, I’ve been threatened like this multiple times over my career. Having someone in ...

Continue Reading

Seven Deadly Sins of a QSA (Part 15), Be My Valentine? standard

Sin #6 – Q/A Tunnel Vision The Quality Assurance (Q/A) program is in full swing at the PCI Security Standards Council. After companies started taking PCI DSS seriously and retaining QSAs, merchants and service providers realized that not every QSA interpreted requirements the same. One of the biggest complaints about the QSA community is variance in interpretation on key items that could impact the cost of compliance—positive or negative. The Q/A program was announced at the 2008 PCI Community Meeting ((If you are a stakeholder in PCI DSS and are not going to these meetings, you are missing out.)) and began to take effect shortly thereafter. QSAs were put on the remediation list as early as 2009. Myopic Assessment Views The ...

Continue Reading

Seven Deadly Sins of a QSA (Part 14) standard

Good PCI DSS, Bad Infosec Foundation You may also find that QSAs do not understand your environment thoroughly enough to make an accurate compliance call. More executives are telling me their recent QSAs struggle when assessing complex technology implementations. QSA work isn’t sexy like it used to be. Back in the day, my favorite projects involved helping companies rebuild their network to include security to close PCI DSS gaps. I solved complex problems involving hundreds of people, thousands of machines, and millions of dollars. It was taxing on my brain, but I absolutely loved the challenge! Solving PCI problems five years ago required considerable knowledge of how business processes and technology fit together. Most companies facing PCI DSS today are ...

Continue Reading

Seven Deadly Sins of a QSA (Part 13) standard

Sin #5 – The FNG The Flipping New Guy (FNG) causes havoc wherever he goes. He also goes by the Pimply-Faced Youth (PFY) in some circles, and is often labeled as having the talent to tame a lion, but the experience to raise a hamster. He’s the guy that just went to new QSA training, passed his test, and showed up to do some good, old-fashioned assessing! Three Days of Ground School One summer, well after I became a QSA, I earned my private pilot certificate. If you ask my wife, she will tell you she remembers me babbling all of these fantastic ((My word, not hers.)) bits of knowledge that I was learning every day, and passing the time in ...

Continue Reading