Branden R. Williams, Business Security Specialist

PCI Council Releases New PTS Standard standard

The PCI Security Standards Council released a unified PIN Transaction Security (PTS) standard yesterday under the title Point Of Interaction (POI) Modular Security Requirements. The new PTS POI unified what was previously three separate standards: the Unattended Payment Terminal (UPT) Security Requirements, POS PIN Entry Device Security Requirements, and the Encrypting PIN Pad (EPP) Security Requirements which now sunset on May 12, 2011. According to the release: The standard introduces a new modular approach for testing all PTS points of interaction, which includes two new optional modules in addition to minor updates to the existing requirements. The Open Protocols module addresses the security of PIN Entry POI devices that utilize external connectivity, and the Secure Reading and Exchange of Data (SRED) module is designed for ...

On Scope Shrinkage in PCI DSS standard

This is a guest post by Anton Chuvakin (RSS), co author on our PCI Compliance book. Follow him on Twitter at @Anton_Chuvakin. People who came to PCI DSS assessments and related services (such as compliance gap analysis and even implementation of PCI controls) from doing pure information security often view scope reduction as “a cheap trick” aimed at making PCI compliance undeservedly easier. They only think of scope reduction as of limiting the area where PCI DSS security controls apply—with negligence, supposedly, reigning supreme outside of that sacred area. However, PCI DSS scope shrink is not just a cop out aimed at not protecting data. It is not just a “PCI project cost reduction” measure. Some half-witted analysts propagate this ...

What Egress Filters Should I Use? standard

Another reader comes to the rescue! This reader asks: Like everyone else, I have been so involved doing ingress filtering, that I have neglected egress filtering. To me, ingress filtering is easy: Block everything except what is absolutely necessary. Egress filtering is another animal. Everyone tells me I should do it, but no one tells me what I should be filtering for. Can you suggest a basic scheme for a small to medium business (SMB) to follow? Great question! And you are most definitely correct in that the majority of guidance on firewalls focuses on how to limit traffic from un-trusted networks into trusted networks. Outbound traffic tends to be much trickier for several reasons like: You have to do ...

Herding Cats May: Love the Lawyer You’re With standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Love the Lawyer You’re With. This issue’s theme centered on information security and law, so I wanted to challenge security professionals thinking about their lawyer comrades. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, go sign up! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

April 2010 Roundup standard

What was popular in April? Consumer security and various news posts topped the list! I’m also working out the kinks on getting my daily links posted here. Here are the five most popular posts from last month: What’s a Token? This post is inspired mostly by the “vendor marketing machine” as we as security professionals try to break through the FUD to get to an apples to apples comparison ((Ran out of space before I could throw in another cliché.)). This post tries to put a little bit of sanity back into our lives by offering up a definition of what we can call a token. Avoid Looking Like a Rookie. History was created with this one as I finally ...

PCI SSC Launches Internal Security Assessor Program standard

The PCI Security Standards Council announced on Friday the creation of the Internal Security Assessor (ISA) program. If you recall, we had some fun with MasterCard last year when they floated and then retracted some changes in their SDP program. The one change that stuck will be causing a small subset of Level 1 merchants pain—the inability to self-assess. If you recall, Level 1 merchants have always been able to self assess IF they have a C-Level executive sign off on it. Self-assessing sounds attractive until that last part. While the vast majority of Level 1 merchants choose to use a QSA, there are a few that have been self assessing for years. In fact, one colleague in particular discussed ...

To Europe: Have You Found Your QSA? standard

I’m writing this from the lovely (and quite steamy today) Terminal 3 of London’s Heathrow Airport after spending a week talking to clients, partners, and industry professionals about information security issues in Europe. It’s clear that PCI DSS is one of the biggest issues facing security professionals in Europe, and will likely dominate many of their lives for the next 12-24 months ((Another bonus, our book sold out at Infosec Europe, and has apparently been a very big deal in the EU. Someone even told me they bought it IN A BOOKSTORE! Never seen it in a bookstore in the US.)). My question to you is, “Have you found YOUR QSA?” PCI DSS is something we’ve lived with for many ...

Pushing Virtualization to the Store standard

One of the key areas that stands to benefit from wide adoption of virtualization is the retail store front. It’s an expensive road to get there, but would be a long-term benefit to retail. Why is it expensive? For one, you have the problem of scale. It’s difficult to stomach an investment that requires touching all of your stores. The long term benefits can be substantial depending on how you approach it. If you touch all of your stores ONCE with an upgraded, beefy machine that can run a hypervisor, you can continue to stand up and offer new services for quite some time without physically touching your stores. This can be a huge benefit for companies looking to roll ...

Views on Application Security standard

I had an interesting conversation with a client the other day, and while shocking at first, it made a ton of sense long term when looking at how to apply security controls to assets based on risk. I’ve blogged and written about things like this in the past, but the concept was interwoven as a theme to a different concept, or all together buried under links to YouTube. The conversation was with a customer that wanted to put out a small informational site in support of a minor product feature, but also wanted to have the ability to dynamically update content through a web browser from anywhere in the world as he and some of his less technical staff thought ...

Avoid Looking Like a Rookie standard

In my recent presentation, “The Mistakes QSAs Make,” one of the mistakes I highlighted is that QSAs will often send the F’ing New Guy (FNG) to perform your assessment. Now before we go bagging on junior consultants, I want to be clear that (most) of these guys are both capable and qualified. Starting this year, new QSAs have to take a closed book exam which should cause the amount of late night partying and drinking to decrease during training, and push the fail rate up (which is not necessarily a bad thing). Let’s say that you are the FNG. Step Zero to avoiding looking like a rookie is to admit to yourself that you are the FNG. Once you admit ...