September 2010 Roundup standard

What was popular in September? We had the PCI 2010 Community Meeting in Orlando, embargoed documents from the Council, some posts that poked a little fun, and a cloudy experience with Desktop as a Service! On that last one, apologies for the incorrect link to the VMWare release. At least you guys know what I was wondering about when I worked on that edited post. Yes, I was concerned about that fungus.  It’s benign tho, so don’t worry. Here are the five most popular posts from last month: Review of the 2010 ____ ____ Meeting. Sometimes the most popular posts only have a few days to percolate.  That would be the case with my initial review of the PCI Community ...

Continue Reading

Full Review of the 2010 PCI Community Meeting standard

Note: After my last post, I received a phone call giving me permission to fill in the blanks. So here’s what I really wanted to say! It’s almost like a madlib.  In fact, you should try that with the last post, I bet it would be fun! PCI 2.0 is just around the corner, and what better way to discuss it than by reviewing the PCI Community Meeting that just wrapped in Orlando! Much of the information we received was classified as confidential or embargoed, so unless you are a stakeholder (like a Participating Organization, QSA, ASV, or described by any other of the acronyms we have come to love) you are missing out. Of course, the first thing we ...

Continue Reading

Review of the 2010 ____ ____ Meeting standard

PCI 2.0 is just around the corner, and what better way to discuss it than by reviewing the ____ ____ ____ that just wrapped in ____! Much of the information we received was classified as confidential or embargoed, so unless you are a stakeholder (like a ____ ____, ____, ____, or described by any other of the acronyms we have come to love) you are missing out. Of course, the first thing we all heard was the ban on social media. Ironically, there was a press table in the back, so I’m not sure what those guys are going to be able to do with the info if they cannot write about it. Anyway, here’s my take: Wednesday’s session kicked ...

Continue Reading

MasterCard Service Provider Registration Explained standard

Edit (July 2, 2022): A very helpful reader let me know the PDF linked below was removed from the MasterCard site. I found the PDF and have re-linked to the latest version. It appears that MasterCard has removed the details on their registration program, which suggests it may no longer be active. MasterCard released (or re-released) a guide on how to become a registered and approved Member Service Provider (MSP) as a requirement to be listed as a compliant MasterCard Service Provider. The PDF linked above has a detailed process for completing this, including two major tasks spread out over several days. The first step is to apply for and receive your user ID under the MasterCard Registration Program. After ...

Continue Reading

How Desktop as a Service (DaaS) can Benefit You standard

Among all the fancy “as a service” cloud acronyms, one that is particularly interesting to me is the Desktop as a Service (DaaS). It seems like most information workers have a personal device and internet connection for their intertube browsing needs—many of those personal devices easily outperforming their corporate issued bretheren. So why do corporations insist on issuing laptops to road warriors when many of us end up carrying multiple devices (even if one of those is an iPad)? One big reason why I see this being an issue is support. IT support centers cannot be expected to efficiently troubleshoot problems on machines where they are unfamiliar with the build (i.e., non-standard builds or non-gold builds). Anyone out there who ...

Continue Reading

Do you know your IT? standard

This post is mostly going to apply to smaller companies as I would HOPE (tongue in cheek a bit here) that larger merchants wouldn’t have this problem. Small- and Medium-sized businesses (SMBs) have more advanced software tools available to them today than ever before. Cloud-based solutions allow for multi-million dollar software packages to be available to SMBs at affordable monthly subscription prices. This level of business analytics, automation, and intelligence can make a big difference in how a business competes.  What once would take dedicated headcount can now be automated and scaled. But with great power, comes great responsibility. SMBs that entrust their business or data to these third parties must invest time and effort to understand not only what ...

Continue Reading

What’s the Value? standard

If you were to give someone the task of protecting a room that holds anywhere from $10,000 to $100,000 in cash, the yearly spend to protect that room (in basic risk management theory) should not exceed the Annualized Loss Expectancy (ALE).  ALE is a simple representation that contains an extremely complex portion of applied mathematics called probability. ALE = Impact of the event in Dollars * Probability of that event occurring on an annualized basis ((Meaning if the event probability is once every three years, you would use (1/3) here.)) Why is this complex? How hard is it to multiply a couple of numbers together? Imagine if someone tried to explain the complex dynamics of Football to you by saying, ...

Continue Reading

Herding Cats September, Trusting Trust standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Trusting Trust. What would we do without a little bit of trust? Our lives would certainly be much less convenient, and has the potential to be more secure. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today!

Continue Reading

August 2010 Roundup standard

What was popular in August? I personally closed out the month with a huge milestone, corrective surgery that should hopefully remove my requirement for glasses and contacts. I am in recovery, and can SORTA see this post, so I disclaim any responsibility for the content herein.  Actually, should probably do that for the whole blog. Here are the five most popular posts from last month: Why QSAs Should Not Be Your Security Partner. That’s right, folks. It’s time to separate your consultants from your assessors. Do you know what motivates QSAs?  Here is an inside scoop on what goes on inside your QSAs head, and why he doesn’t have your best interests in mind. Where’s the Breach? Is this the ...

Continue Reading

PCI DSS versus Y2K standard

It’s been an interesting week in the PCI DSS world. I was a contributor to a Webcast from First Data on scope reduction using Tokenization.  We had the webcasts from the Council about the changes in PCI DSS coming on October 28, and I seem to have gotten a flood of emails reminding me about the community meetings in Orlando and Barcelona. From a global perspective, PCI DSS is slowly making strides in several locales, to the point where I often adjust my daily schedule to help customers in the pacific rim, middle east, Asia, and Europe. Australian and New Zealand based companies seem to be taking particular interest in PCI DSS, equivalent to the levels we saw in early ...

Continue Reading