Branden R. Williams, Business Security Specialist

Why You Should Love a PCI Hater! standard

Ahh, the haters. Everyone that deals with PCI on a regular basis knows one. Sometimes they take the form of a guy that doesn’t want to actually do his job, or an armchair security gal, or your nemesis that uses his industry position to irresponsibly spread false propaganda, or true security experts that point out serious concerns or flaws with the standard. As security professionals, we key stakeholders (including QSAs, ASVs, payment brands, and the framers of the standard itself) need to listen to the last group intently to ensure that we understand the risks as it pertains to the changing threat landscape, making adjustments where appropriate to protect the data entrusted to us. PCI haters are valuable people. By ...

PCI Community Meeting, Vegas! standard

I hope to see many of you next week at the PCI Community Meeting in Las Vegas! VeriSign will have a booth and is a sponsor for the event. If you are going, please do stop by our booth and attend our sponsored cocktail hour! We’ll have some goodies and some exciting news for everyone that stops to chat! At this point, I’m not sure what kind of coverage I’ll be able to provide from the meeting, but more on that soon. Before you arrive for the sessions, I urge you to review the myriad of information available on the PCI Security Standards Council website, including the recently published SIG papers, and prepare your questions. This is your chance to ...

The Dangers of Hindsight standard

Bob Carr gets it. He had to suffer through one of the largest credit card breaches on record to get there, but he gets it. Digital Transactions Magazine published an article featuring Carr entitled Don’t Hire a QSA by Seeking the Lowest Bid, Warns Heartland’s Carr. In it, Carr painfully recalls how his previous assessors did not provide him much value, and how the low-cost bid rarely ever the best bid. If you read his article, he doesn’t specifically argue that costs should start escalating quickly, but rather he argues that companies should spend the time to get a QSA that does a thorough job, and is not motivated to get in the door, go as quick as possible, and ...

Getting the Most from your QSA standard

Bill Brenner of CIO magazine published a feature article on Wednesday entitled “4 Ways to Get the Most From Your PCI QSAs” where he picks four main things to focus on when using the services of a QSA. VeriSign published a whitepaper last year reviewing several items to consider when shopping for a QSA, all of which tied back to Brenner’s recommendations. Brenner asserts that the four ways to get more from your QSA are: Choose your vendor wisely. PCI compliance is probably an important project to your organization, so be sure you find a QSA that will make your project successful. Don’t hastily throw a solution together, treat it like the strategic project it is (and then treat it ...

Visa Makes Registration Easier! standard

Are you a service provider frustrated with the steps you have to go through to become listed on Visa’s global list of PCI DSS validated service providers? The process of getting listed when you are not a member or a direct agent of a member seems clouded and painful, until now! Visa recently added a very detailed Third-Party Agent (TPA) section to the Risk Management section of their website that details exactly what needs to be done to be listed on the site. If that were not enough, there is a fantastic FAQ in PDF form that you can take with you wherever you go. As part of this change, Visa eliminated all of the old classifications like Independent Sales ...

Oracle cracks everyone up standard

Did anyone else giggle a little bit when they saw that Oracle delayed its quarterly patch release because it would coincide with the OpenWorld 2009 Oracle conference? According to Oracle, they didn’t want administrators to have to choose between installing updates in a timely manner and attending the conference. That’s funny for me because I have NEVER met an Oracle DBA that was excited about pushing patches to their servers in a couple of days (the original release was slated for October 13, and the conference ends on the 15th). In fact, between Oracle DBAs and z/OS Administrators, I don’t know who wins the prize for yelling the loudest about patching within thirty days. THIRTY days. Not two days. THIRTY ...

Blame MBAs for PCI Remediation Costs! standard

Do you ever wonder how we got into this situation? Where merchants are facing tremendous fines for non-compliance, companies are being compromised by hackers here and overseas, and data security programs seem to be non-functional at best (if not non-existant)? I’ll tell you how… MBAs. Yep, those pesky folks that learn the inner workings of how to take advantage of numbers to best increase their own personal compensation? Yes, another MBA dog-pile. And I feel qualified to pick on my MBA brethren because I are one. All seriousness aside (did I do that right?), let’s think about how payment systems started inside retailers. This is a classic example of the Build vs. Buy problem in every single MBA finance class. ...

Herding Cats, the September Edition standard

It’s live folks! Check out the latest edition of Herding Cats entitled, “Risk Management Follies!” Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt for non-webservers Selective Domain Filtering with Postfix and a SPAM Filtering Service Preventing Account Takeover, Enable MFA! Proofpoint Patches URL Sandbox Bypass Bug

Speaking at VMWorld! standard

Are you at the VMWorld show? If so, be sure to attend my panel discussion entitled: “Virtualization and Compliance: The Auditor’s Perspective” today at 11:30am in room 310! Joining me on the panel will be Nigel Tranter, Partner at PSC, Ray Zadjmool, Principal Consultant at Tevora Business Soltions, and Bill Hau, Vice President at Foundstone. The panel is moderated by Charu Chaubal of VMWare. Hope to see you there! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Herding Cats, Bringing You up to Date! standard

I’ve been neglecting you all. I usually post PDF versions of Herding Cats here on the blog for you all to read! If you are not an ISSA Member, stop what you are doing and click here to join. If you are, you can catch Herding Cats in an ISSA Journal online or in print! The last edition I posted was from April. Here are the ones that I have published since then: The Perimeter has Left the Building, 08/09 Security is a Mindset, 07/09 The Cost of Ethics & Integrity, 06/09 The Breach You DID Expect, 05/09 Don’t forget, you can see all the editions right here on the site! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces ...