The Art of the Compensating Control (Part 2) standard

See part 1 here. What a Compensating Control Is In the early years of PCI DSS (and even my experience under the CISP program), the term compensating control was used to describe everything from a legitimate work-around for a security challenge to something that Michael Phelps may have dreamed up while expanding his mind at approximately twenty minutes after four in the afternoon ((Aww… too soon?)). If you are considering a compensating control, you must perform a risk analysis and have a legitimate technological or documented business constraint before you even go to the next step. We will see more of the documented business constraints coming our way for review based on the current economic situation. Just remember the word ...

Continue Reading

I want your old data! standard

Kotaku recently reported that a cache of Xbox 360s and PlayStation 3s offloaded to Circuit City has tons of fun data on them. Smaller merchants are buying these things for pennies on the dollar in hopes to resell them for a profit in their stores. I’ve heard that these things are everywhere! Folks, don’t forget, that every one of these devices that you plug into the wall or has a battery is basically a computer. Sure, it may not be the one that you are reading this post on, but it is a scaled down version of the same technology. You know that VOIP phone sitting on your desk? Yep, a computer. Aside from the data security issues associated with ...

Continue Reading

The Art of the Compensating Control (Part 1) standard

Few payment security professionals can find a hotter topic than compensating controls. They always look like this mythical accelerator to compliance used to push PCI Compliance initiatives through completion at a minimal cost to your company with little or no effort. Sound familiar? I wish I had a tape recorder at every meeting where I heard the phrase, “Don’t worry, we’ll just write up a compensating control for this.” It may not be as great as the twenty-seven minute long video floating around of every single expletive uttered during The Soprano’s legendary run on HBO ((How impressive is twenty-seven minutes? Seriously!)), but I bet I could fill a few podcasts with the audio. Compensating controls are challenging. They often require ...

Continue Reading

Follow-up from PCI Congressional Hearing standard

It’s been a few days now, and the dust is still settling as they say. Anton Chuvakin posted some great thoughts on the hearing, including one that I TOTALLY missed. In Mr. Jones’s ((CMS 7.18. Look it up.)) defense, the site that has the XSS error in it MAY NOT be in scope for PCI depending on where code base lies, but regardless, the vulnerability is inexcusable from a guy talking to Congress about this stuff. I fired the info around to some of our consultants and had a couple of responses of note. James, a Consulting Manager in our group says (I am paraphrasing some of this): The contention that PCI forces retailers to stray from their core competency ...

Continue Reading

The Art of the Compensating Control standard

It’s April, and what does that mean? It’s time for ISSA’s 2009 PCI issue! The feature article for that issue, is The Art of the Compensating Control. You can download this version from the website, even if you are not a member, at http://www.issa.org/Members/Journal.html for the rest of the month. If you are reading this after April 2009 and want a copy, let me know. You readers of the blog are going to get a special treat! The original article was much more casual and entertaining than what we ended up publishing in the Journal. Thom reviewed the first final draft of the article and said that it was much too casual. He was absolutely right. I can’t tell you ...

Continue Reading

For the record, I Love Dave Hogan! standard

I got a few comments yesterday that made me think that some of you have the wrong idea. OK, I admit, the EDI/CIO comment I made yesterday morning was over the top, and as an act of contrition, I will tell you that yesterday I was told not to wear a shiny shirt, suit, or shoes to a particular customer because their CIO didn’t like shiny consultants. My shirt was quite shiny. Something that would have been helpful to know before I packed. DOH. Before I go any further, I do realize this is April Fools Day. What you are about to read is NOT an April Fools joke. To help illustrate that point, you won’t see any backhanded complements ...

Continue Reading

Review of PCI Congressional Hearing standard

If you missed it, you can see a recording here! See what the Twitterverse had to say here by searching for #pcihearing. TONS of coverage on this. First, I am very proud of our congress for putting this hearing together. It is clear how serious this situation is when listening to the prepared, pointed statements read in the beginning. I hope I don’t make anyone upset, but I do giggle a little bit when non-techie folks trip up on techie terms. I certainly expect someone would giggle at me if I were reading a statement of detailed medical terms and missed the words. Regardless, huge props for taking the issue on. In the next paragraphs, clicking on the individual’s name ...

Continue Reading

How a Little Push can put you into a Freefall standard

Last week I moderated a panel at a PCI focused dinner in Chicago. Big props to the folks that helped to plan this (Alex, Melissa, Ben, and Diana from VeriSign), the event was great! The panel participants were heavy hitters from the industry including Anton Chuvakin from Qualys, Davi Ottenheimer from Arcsite, and Bill Cook from Wildman Harrold. Anton has a few great points from the event that he has posted on his blog here. We had a fantastic discussion, and there were even great discussions among the panelists that revealed conflicting opinions. We had so much discussion that we were unable to go through the entire list of questions I had prepared. I had thirteen, and we only were ...

Continue Reading

Guest Post: Compliant Compromise standard

The following is a guest post by Frank Castaneira. Frank is a Sr. Consulting Manager inside the Global Security Consulting practice at VeriSign. Matt Hines recently wrote about the PCI Council discussions on applicability and adequacy of the PCI Standard given reported breaches of validated entities such as Hannaford and Heartland. Branden recently discussed the PCI Council conversation on March 6. Branden suggested greater visibility by the Council into the incident response process. This posting amplifies on that solution and provides other perspectives. The discussions mentioned in Mr. Hines article focused on the QSA (Qualified Security Assessor) posture that an annual on-site assessment is relevant only for that point in time. Although, I recognize the issue (point in time), my ...

Continue Reading

Hello Chicago!! standard

I’m sitting in the Starbucks (a.k.a., my mobile office with thousands of locations world wide) on Ohio and State in Chicago preparing for our event this evening. I am moderating a round table discussion with some prominent industry experts around PCI, one of which is the venerable security pundit Anton Chuvakin. If you have a minute, please go read his recent post from his panel in Denver last night. He posed a very interesting question that I think we will be posing to our audience tonight! Check it out! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

Continue Reading