E2E Encryption Reduces Probability, Not Eliminates Liability standard

Ahh, back to thinking about Prague.  I can almost taste the goulash! End to End Encryption (E2EE) is widely discussed, but its effects are largely misunderstood by merchants looking for relief from the burdens of complying with PCI or government rules and regulations.  Merchants have approached me asking if implementing E2EE will eliminate their liability and PCI responsibility. This exact question was asked in Prague during the Q&A session. The first issue here is E2EE is not likely a reality we will see anytime soon.  Remember the ends we are dealing with here.  End the first is the device reading the payment instrument, and the other end is the issuing bank (or issuing processor) that ultimately approves the transaction.  All ...

Continue Reading

To New Beginnings standard

Yep, it’s true.  Today is my last day at AT&T/VeriSign where I’ve absolutely enjoyed the last six years of my career. I started thinking back to the last job I left. It was an internet service provider that was local to Dallas (long since gone belly up and litigated to pieces).  It was my second job while building one of those small, two man dot-com start-ups in the mid 1990s.  I left the job in 1998 when we sold our startup.  That’s just over eleven years ago! I’ve been with Guardent/VeriSign/AT&T for six years. Prior to that I was with the investment company that acquired our little startup in 1998 until management decided to unwind it. Things are moving fast.  ...

Continue Reading

More Fun with Hashed PANs standard

Hashed PANs are a double edged sword.  Hashes seem to be coming up quite a bit lately, and in fact there was a question about hashed PANs at the PCI Europe meeting. Luther Martin at Voltage discusses one of the two main issues with hashing, and that is the ability to create rainbow tables whereby you can easily take a known hash value and back your way to the input used to create it.  Granted, one of the issues that exacerbates this for cardholder data is the limited keyspace in which card numbers are valid.  Remember they all start with published six digit BINs, and any number must pass a Luhn check.  But, before we dance on hashing’s grave, let’s ...

Continue Reading

Herding Cats November: got sprintf()? standard

Ahh, everyone loves some good programming humor, right? RIGHT?!? Yeah, that’s what I thought.  This month I talk about one of the hardest tech jobs out there… the Application Developer.  I used to be one, and I remember the stress of getting projects completed on time, under budget, and with minimal bugs.  It’s a thankless job. So go check out this month’s edition of Herding Cats here! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug

Continue Reading

Too Much Process, the Corporate Lobotomy standard

Process is a good thing. Some corporate citizens might disagree with that basic statement based on conversations like the following: “You mean I have to go to some website to enter a request for paper clips, and then someone in another office can just reject it because they want to?” Sometimes it doesn’t work.  When you are in situations like this, remember this little saying from a very wise man: “Don’t confuse logic with the process.” Process in other examples can be a really good thing.  Consider the actions you might take to promote code from a test or Q/A environment into production.  The steps you take to do this should be the same every time, and any deviation from ...

Continue Reading

October 2009 Roundup standard

Taking a hint from Anton Chuvakin’s blog, I thought I’d start posting the five most popular posts from the previous month.  If you have not had a chance to read everything here, give these five a try! Here are the five most popular posts from last month: MasterCard/Visa Remove Reciprocity. This post details changes made on payment brand websites that appear to remove level reciprocity on merchants.  Regardless of your level, most acquirers (or acquiring functions of payment brands) will accept a higher level of validation.  You should not be forced to complete a ROC and SAQ, submitting only a ROC should suffice. The Problem with Logging. Which kind of logging are you guilty of doing most?  Over-logging?  Under-Logging?   Check ...

Continue Reading

Will PCI Mandate the Use of Data Discovery Tools? standard

The PCI Europe Community meeting was set in the beautiful Marriott in Old Town Prague last week, and even though there were fewer attendees than the meeting in Vegas, there was no shortness of intensity and well researched questions. One individual asked about the use of Data Discovery tools as a mandate to assist in the scoping of PCI assessments.  Imagine as a QSA walking into a customer, running a tool, and knowing EXACTLY the scope of the PCI assessment you need to perform!  There would be little chance that you under- or over-scoped it, and all those little nooks and crannies that scare the bejeebus out of a QSA would be documented right there for review. If you are ...

Continue Reading

Does PTS Apply to ATMs? standard

I’m writing (but not publishing…. Come on folks, it’s 2009…) this from 35,000 feet, somewhere over  the north Atlantic, east of Iceland.  What else am I going to do while sitting in a big, metal recycled air tube hurtling over the surface at speeds never meant for man?  Think and write about security, of course! I’m heading back state-side after a great PCI Europe community meeting.  I didn’t get the final count, but the meeting had just north of 200 attendees.  It seemed smaller than last year, but that could have been the seating arrangement.  One of my favorite sessions is always the PCI Standards Feedback and Q&A Sessions.  This year was no different! While the questions in the US ...

Continue Reading

The Madness of Sampling standard

The PCI DSS instructs assessors to sample certain parts of the population when validating compliance.  According to the PCI DSS, the sample “must be a representative selection of all of the types and locations of business facilities as well as types of system components, and must be sufficiently large to provide the assessor with assurance that controls are implemented as expected.”  That often leads to the next two questions—the answers to which tend to vary among assessors: What do you mean by representative selection (or how many is representative)? What do you consider sufficiently large to gain assurance? In the audit world, internal auditors that review IT systems will look to statistically valid samples as a method to determine how ...

Continue Reading

The Problem with Logging standard

Kim Zetter from Wired Magazine put Wal-Mart back in the news recently with information about an alleged incident that occurred in the 2005-2006 timeframe.  One of the key issues making the rounds is the following assertion made by Zetter: The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis. Logs serve multiple purposes, and for that reason they tend to grow rapidly.  Sure, storage is cheap nowadays, but every company still struggles with this very basic concept.  While I won’t speak specifically to the Wal-Mart incident (Evan Schuman has some great additions), I will address some of what I see with my customers and their struggles with logging. Over-Logging This is more typical than ...

Continue Reading