We Should Question Bold Claims that PCI Is “Highly Effective” standard

For my first real post of 2016, let’s deconstruct a quote from an article published by eWeek about PCI DSS and 2016. The quote in question is from Jeremy King, International Director for the Council. “The PCI DSS is a mature standard that has proven highly effective wherever it is adopted and used.” The rest of the quotes fall along the messaging guidelines that you hear from the Council (although this appears to be more of a pitch related to the logging SIG), but this one stuck out for me. It reads like something that wants to be true versus something that actually is true. In the Council’s defense, they will readily cite that no fully PCI DSS compliant merchant has ever been breached. ...

Continue Reading

Top Posts from 2015 standard

2015 is over and in the books. It was a pretty busy year for those of us in security & payments. My company went IPO, the largest compliance provider sold (instead of IPO), adult websites were hacked and in some cases extorted, new books and publications, lots of blogs, a step back on SSL restrictions, and EMV. Thanks for continuing to stop by and check out my content. Looking forward to a great 2016 and I will see you at a conference soon! Here’s what you folks liked the most in 2015: Is The Council Trying to Kill the QSA Program? Obviously, any post where you reference Christina Aguilera is going to be something you all will love. The Council finally ...

Continue Reading

Dear Santa, 2015 standard

Lots of time for reflection and requests during this time of year. For those that recognize the elf-herder named Santa, what do you wish for this year? Did you have any infosec wishes? I have one, and the awesome folks at SecureWorld Expo included me in their series for 2015. Go check out my Santa wish for 2015! Need some levity in your office? Check out this call back to a great Steve Martin skit where he discusses his Christmas wishes (transcript).

Continue Reading

WiFi Risks and Travel standard

Holiday travel is about to be in full swing for the holidays, and we’re all going to be wading in dangerous waters as we seek WiFi to keep ourselves and our kids occupied while we move around. Paul Ducklin just put together a great blog post on Naked Security about a risk you should be aware of when connecting to these networks. He specifically talks about unsecured requests for information before you are allowed to reach the Internet. There are a couple of other scary things you should be aware of: Don’t forget that open, free, and no-password-required WiFi is about as wild west as you can get. When you connect to these networks, anything you do that is not encrypted ...

Continue Reading

The Privacy Plug-in You Need standard

Sometimes I’m a bit behind the times on all this new fangled technology stuffs, so I wanted to make sure that everyone else knew that I caught up to 2015 and installed Ghostery. Ghostery is a cross-platform browser plugin that will help you select which tracking networks you want to participate in and which ones you want to block. If y0u have ever been annoyed by countless ads for some product that you Googled late one Saturday night that one time, this is a product for you. Here are my two reasons for keeping this installed on my machines: It allows me to selectively whitelist both certain ad networks and certain sites. So, for example, if I want to support ...

Continue Reading

Need help with Social, try an Audit! standard

As I was thinking about a quick topic for this Thursday post, I came across an article about using social media in your business. Virtually every information security vendor leverages social media in some form or fashion. Twitter and blogging appear to be the most popular from my perspective, but are we really taking advantage of all that social has to offer? Keith Quesenberry wrote a fantastic post that discusses how to treat social media like a journalist, and even gives readers a tool for conducting their own social media audit. If I’m still showing up on the radar of a certain PR firm that represents a certain global industry group, this might be one that you put in front of ...

Continue Reading

The Un-Sexy Process of Vulnerability Management standard

This week I wrote a blog post over at AlienVault entitled, Internal Scanning for PCI Compliance—Not Sexy but Necessary. Many of us who work in security started our careers doing some kind of vulnerability chasing. It’s our version of firefighting. Look for a vulnerability, patch it, and repeat. As our environments grow, the fervor with which we perform this endless cycle builds until we realize that it’s ultimately unsustainable. That’s when we start to look to treat the cause with the symptom. Go check out the post and let me know what you think. Does IT Hygiene end up being one of the root causes to vulnerability wildfires in our organizations? How do small businesses with little to no IT ...

Continue Reading

Will EMV Drive Sales to Amazon? standard

Retail and financial computer networks have almost frozen for 2015, and businesses big and small are gearing up for what will no doubt be an interesting holiday season. Does EMV chip dipping, which is not nearly as awesome as guacamole chip dipping, drive transaction times up and make lines longer for retailers? Do we see more physically abandoned shopping carts as more turn to online retailers to effortlessly complete their transactions and get back to Netflix and chilling? Let’s focus on the transaction times for a moment. Retailers with inefficient implementations of EMV terminals may end up suffering from added labor costs. In order to keep people moving through their lines, more registers will need to be open, which means ...

Continue Reading

Game Theory and Payment Security standard

For those of you who do not know, the Federal Reserve branches (the head ones for each district) all conduct and publish research and facts on their respective webpages. The Kansas City Fed is one of my favorite places to go to look for current (and historical) research that is relevant to our industry. Last month they released a summary from the 2015 International Payments Policy Conference which included a session on applying Game Theory to payment security. I’m fascinated by game theory. It’s an area of applied mathematics where even someone like me (who is NOT a math whiz) can grasp. The primary models they applied appear to focus on the EMV liability shift to examine payoffs and equilibria before and ...

Continue Reading

Will Plastc Succeed where Coin Failed? standard

Facebook has some really interesting ways to position products in front of its users. Not one day after a few of us went on a Coin rant I was presented an advertisement for Plastc, a bigger and better version of Coin that includes an EMV Chip. Early adopters of Coin had mixed results with the card itself with some merchants refusing to accept it, and current users are struggling with the lack of chip support in the device. Here’s why Coin will slowly be phased out in a way to be completely ineffective. Embedded in the magnetic stripe of your payment card is a collection of data that is submitted for payment when you swipe the card. One of the ...

Continue Reading