Branden R. Williams, Business Security Specialist

MasterCard/Visa Remove Reciprocity standard

Thanks to a fellow reader for pointing this out! It appears that MasterCard and Visa (sorta) have removed the reciprocity statements from their level definitions. Discover still has the reciprocity statement on their levels, American Express and JCB never used reciprocity for their level definitions (to my best recollection). Several industry insiders have been told that it was never the intent of MasterCard to force a merchant that accepts a single JCB card to go through an on-site assessment if they did not meet the MasterCard threshold. Now it appears that this is the case as the official merchant level definitions reflect exactly this. Unfortunately, the road does not end there. In fact, it starts forking like crazy. Now that ...

The Lost Assessment standard

Like many fans of Dan Brown’s character Robert Langdon, I was one of the first to tear through The Lost Symbol last month. Symbology in ancient and modern cultures is fascinating, and somehow while I was reading the book, I made a parallel between this final lost symbol (no spoilers here, you need to go read the book!) and the quest for security and compliance nirvana. In the book, Mal’akh is searching for what he believes is the final piece to a puzzle that will make him an all powerful, deity like creature. His quest began while imprisoned in a Turkish prison (yes he HAS seen the inside of a Turkish prison, Clarence) with the son of a prominent 33rd ...

Curious on Visa’s Deadlines? standard

Are you wondering which deadlines for PCI DSS have passed and which ones are upcoming? Unfortunately, in most cases the deadlines you are looking for are in the past, with some exceptions. That’s one of management’s challenges to PCI. Manager: “Tell me what the date is, and I’ll work toward the date.” You: “More than a year ago.” Manager: “I can’t manage to that. Go get an extension and tell me that date.” At this point, you pretty much should just make up a date. Sure, an acquirer can give you a date, as can some payment brands, if you pick up the phone and call them. It does not ultimately mean anything if you are breached tomorrow. For those ...

On Writing: The Funnel vs. the Brain Dump standard

Ben Tomhave posted a GREAT overview of what he calls The Writing Funnel—his method of organizing thoughts into publishable content. If you have not already read his post, you should stop by the link above first. A ten minute read and well worth it. Ben describes how a thought becomes content in his “Falcon’s *-line (star-line) Approach to Writing” as three unique steps: Offline, Tagline, and Outline. For the majority of my writing, I use both the Offline and Tagline concepts in almost the exact same way. The Offline concept for me works well in a couple of areas, such as working on a plane without Wi-Fi, or in a place where I cannot (or do not wish to) connect ...

Visa Releases Data Field Encryption Guidance standard

Earlier this week Visa, Inc. released a best practice bulletin on data encryption that details five security goals ((paying homage to The Security Catalyst’s “3s and 5s” rule)), and thirteen best practices that companies can implement to meet them. The five goals as listed in the bulletin are: Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption. Use robust key management solutions consistent with international and/or regional standards. Use key-lengths and cryptographic algorithms consistent with international and/or regional standards. Protect devices used to perform cryptographic operations against physical/logical compromises. Use an alternate account or transaction identifier for business processes that requires the primary account number to be utilized after ...

The Social Media Ban standard

Attendees to the PCI Community Meeting in Vegas two weeks ago were treated to an interesting warning at the opening of the session. No social media or blogging during the meetings. I know that I picked up on it more than anyone else as I tweet and blog just a little. It didn’t take long for attendees to be warned about its use. During Bob’s opening remarks, he cautioned users not to tweet or live blog the events. The two-part irony behind the situation is that members of the press were welcomed into the meetings this year, and three of the five founding members of the council have embraced Twitter. Discover MasterCard (including four executives) American Express (albeit just a ...

Herding Cats, October 2009 standard

Is now available! This month? “Using the Popular Press.” Lots of SQUIRREL references for all you fans of Up, and of course, @Beaker. Check it out here! Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

The Definition of Cardholder Data standard

The definition of cardholder data for most of us usually stops at the Primary Account Number, or PAN. Those pesky digits that we have to protect as they run through our systems cause CIOs to cringe and security professionals to salivate over potential budget money. Before you can embark on your information security journey, you need to understand what you must secure, and where it is. I’ve posted about this before. As this is one of my most popular posts, I wanted to go back and revisit this post. When I wrote this post, we were still dealing with PCI DSS v1.2.1. While the definition has not changed in more recent versions, the landscape has quite a bit. I’ve updated ...

Ask the Council standard

Vegas is in the books, baby! I’d call it a successful community meeting. The networking opportunities were fantastic, and the sights were awesome ((including seeing Russo dress up like Elvis which I did not take a picture of… see Bob? I can play within the rules :). More on the handling of social media later…. it was not handled well.)). For those staying in THEhotel, we got to walk off calories consumed with the long walk from the room to the conference center that we made at least twice daily. Of course, it is Las Vegas. It’s REALLY hard to concentrate when you know that you don’t have to walk far to be bombarded by flashing lights, bells, whistles, and ...

PCI Community Meeting Update Schedule standard

The meeting this year promises to be a goodie! What you won’t see from attendees (including me) is any live blogging or tweeting about the meetings this year. I’m going to be responsible this year, and will blog about the event AFTER it happens. Don’t expect any confidential information to be revealed (though that’s not something you should expect from me if you have been reading my blog for any period of time now). Concepts that you might find here will always apply knowledge in a general manner. I will do some kind of wrap up posting series next week. So this week, look for us at the PCI Community Meeting, and come to the Welcome Reception sponsored by VeriSign ...