Branden R. Williams, Business Security Specialist

Where’s the Breach? standard

All we need to top off this post is a little old lady screaming “Where’s the Breach?” God bless 80’s marketing. A merchant out of Austin, Texas is claiming that a breach in their network came from Heartland Payment Systems (HPS), thus it must be their fault. While I am sure this is not the first merchant to be caught off guard, he’s certainly a creative one. Our culture in America seems to relish deflecting blame from oneself on to others. Why, it couldn’t be me, it must be that guy over there. What’s interesting about this particular case is that the quotes in the article are being interpreted in a manner that is inconsistent with these kinds of breaches ...

The Council is Such a Tease with PCI DSS 2.0 standard

They totally are! Giving us this little tiny preview of upcoming changes without really getting too specific. It’s like me saying, “Dude, that chick is HOT!” Then when you ask me to describe her I say, “It’s a lady all right!” OK, back to the real reason you are reading this, the changes to PCI DSS and PA-DSS slated to drop on October 28 are outlined here. The majority of the document reviews the new lifecycle, how and why changes are made, and the three general types of changes outlined: clarifications, additional guidance (which is just a fancy way to say clarification), and a requirement that is evolving based on new threats or a change in the market. This release represents ...

Herding Cats August: Embrace the ISA Program standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Embrace the ISA Program. Some industry folks fear the empowerment that the Internal Security Assessor program from the Council brings to the table. I, for one, see it as an opportunity to more accurately assess PCI compliance. Oh, and the Hoffacino makes a cameo 🙂 If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

Why your QSA should not be your Security Partner standard

This one is link-laden folks. Enjoy 🙂 It’s just mere weeks before we’ll see the FOURTH iteration of the PCI DSS, and companies inside the US seem to be getting better at it as we go. PCI continues to be a driving force in information security, and as the standard changes, your business environment will undoubtedly change as well. Many merchants and service providers mistakenly depend on their QSAs to find all security and PCI compliance issues. Considering the downward market pressure on assessment prices, many security professionals are discussing how QSAs are pressured to get a complete and compliant ROC in the cheapest way possible. QSA companies are motivated by three main things: Scope and price the deal in ...

July 2010 Roundup standard

What was popular in July? We wrapped the month with some fantastic presentations at Blackhat, Defcon, and BSides. I am enamored with the fun stuff browsers can do (and not so fun things to the people that ineptly run them), and approaching application security with a renewed vigor. Here are the five most popular posts from last month: PCI Security Standards go to Three Year Lifecycle. More than twice as popular as its nearest challenger, this post details some of the pros and cons to the new three year lifecycle that all of the standards will adopt starting with the pending release. Tokenization and Chargebacks. The NRF making is more waves, and Visa released new guidelines. Check out this post ...

2010 Verizon Business Data Breach Report Released standard

Verizon Business released their 2010 Data Breach report hours ago, and with the combination of Secret Service data for the 2010 report, there is a ton of interesting things in here. Here are a few of the highlights that I took from the report: Financial & Hospitality Beware: These two categories represent 56% of the groups involved in breaches ((Add in retail and you are up to 71%)). Those of us in the industry know the ridiculously poor state of security in the hospitality sector. Now with the economy on its way to recovery, these businesses will once again see an uptick and criminals will see an opportunity to capture valuable data. Medium-Sized Businesses are in the Crosshairs: The grouping ...

A Thought to Take You to the Weekend standard

It’s been a crazy week, and I’ve been busy gearing up for BlackHat on top of all the fun stuff my day job entails. To close out the week, I wanted to throw something at you that I thought about while discussing how to better approach compliance initiatives. It’s a simple one liner that really describes why companies should invest in security instead of compliance: A good information security program makes compliance with any standard a tweak, not an overhaul. Compliance should not be the notion that drives security in your organization. Security, among other things, should support and drive compliance. Compare that to your approach. Does that fit with how you execute your security strategy? If not, why? Possibly ...

PCI Council, How About a Map? standard

When I started writing this post, I was trying to think of a metaphor for a map and a journey of some sort, but everything came out dripping with Cliché Cheese ((It’s somewhere between month-old shredded Cheddar cheese that you would toss on some chips and zap for “nachos,” and that orange substance you get on nachos at a high school football game.)) or would have made sense only to a limited audience (Shout out to the P1, between the devil and the deep blue sea, and kick the tires and light the fires… as it were). The point I was trying to make, however, was in light of PCI, we seem to be navigating a changing world with a ...

Tokenization and Chargebacks standard

The NRF released a brief yesterday discussing the clarification Visa made to the operating regulations related the storage of full card data after the transaction. As suspected, some acquirers and processors were interpreting the rule to mean that Visa required merchants to store the full card number for things like chargeback processing ((The clarification was made on the Issuer side of the transaction.)). Of course, with a phone call, acquirers quickly seemed to learn what the real intent of the rule was. I can only describe this second hand, but here’s what I know for sure. Over the last 6+ years, I have worked with many merchants to help them rid their systems of PANs. In exactly zero instances, I ...

Level 2 Merchants, Are Your Folks Trained? standard

Is anyone thinking about June 30, 2011 yet? If you are a Level 1 or Level 2 merchant, you certainly should be! Here’s why: MasterCard had a rough time last year. They made some new rules, they changed the rules, and then they removed many of those rules. This year, they worked out the kinks (arguably something they should have done before the first announcement) and have a revised set of requirements. Remember us talking about reciprocity last year? From the excellent post by Chris Mark on the end of the Level 4 Merchant to the retraction and strange website posts and commentary by MasterCard, reciprocity was a hotly debated issue. As of this writing, the reciprocity on MasterCard’s website ...