Branden R. Williams, Business Security Specialist

Will you meet the 6.6 PCI Requirement by June 30? standard

Well? Will you? We’re waiting!?? Hopefully your bank is not taking THAT approach to checking on your status, but I know many merchants are feeling the heat. Jaikumar Vijayan from Computer World writes that when this deadline passes, most people will not be in compliance. If you read the letter of the law, yes, I would agree. But based on the guidance released by the council, if you are compliant with the rest of the standard, there is a pretty good chance you are compliant with 6.6. In this clarification, The Council declared the intent of the code review component to include “Manual web application security vulnerability assessment” and “Proper use of automated web application security vulnerability assessment (scanning) tools.” ...

Brando, On Writing standard

Greetings everyone! Go check out my guest post on Karen Swim’s fantastic blog, Words for Hire. “Step 1: Extinguish the precipitous rubescent LED-based luminosity!” Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Why PCI will Never be a Federal Mandate standard

One of the arguments for becoming PCI compliant is to keep this an industry regulated certification, versus having to deal with a federal mandate like Sarbanes-Oxley. People often ask me if I think PCI will become a federal mandate. I don’t think it is possible. Most federal mandates are designed to protect their citizens (I said MOST… ok?). The electronic payment system already has mandates to protect the citizens. For example, did you know that the Fair Credit Billing Act limits your liability to $50 for unauthorized charges? Personal experience says $0 liability if the physical card is still in your possession. PCI is designed to minimize losses to issuers and the brands caused by a credit card breach and ...

Am I too trusting? standard

Monday was presentation day at CSI-SX. I had a decent crowd, for the breakout session! One day, I’ll do a talk that is not the last session of the day 🙂 While I was in between sessions sitting in the speakers lounge, one of the other speakers (I did not catch his name) dropped his computer bag and jacket on the chair across from me. I looked up, nodded, and went back to my work. He proceeded to pull out one of those laptop locking devices that you see at public terminals. You know, the ones you can beat with a toilet paper tube. He then secured the whole apparatus (bag included) to the chair! A conference chair. The ones ...

PCI Council Reinforces Standard standard

The PCI Security Standards Council released a statement yesterday defending the PCI-DSS against claims that the standard is not strict enough and will not protect against common attacks. This is the first real communication we’ve gotten from the council since the announcement of the Hannaford breach earlier this year. This statement is the first to be released to try and counter the negative press from Hannaford telling the world that they were compliant with PCI. This was the first breach of a Level 1 merchant that had validated compliance through a QSA. After reading the statement from the council, vague as it is, merchants should feel better about their PCI programs. The PCI DSS, if properly implemented on a merchant ...

Are we ever safe? standard

The Register is reporting that McAfee’s “Hacker Safe” sites are not so much. In the security industry, we typically refrain from saying things are 100% secure, simply because the only 100% secure computer is the one that does not exist. Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

On my way to CSI-SX! standard

Bout to go board my jet-fueled chariot right now. If you are going, look me up on Twitter! I’m planning on taking a cab to the hotel, checking in, and seeing if any conference goings on are… going on. See you there! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

Tee Hee – Eee Pee Cee standard

GloboTV (via Gizmodo) has a story (in Brazilian Portuguese) about some crooks that used the Eee PC to steal customer’s debit information at ATMs. Tee Hee. Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Dave Taylor gets it right! standard

Please don’t take the title to mean that Dave doesn’t get it right often, I just wanted to laud this recent column at StoreFront BackTalk. The quote specifically that drives the nail home is: If you’re thinking that the Hannaford security breach is a very isolated “blip” and that PCI compliance is the same as securing the enterprise against security breaches, you’d better think again. Why? It’s not uncommon for merchants to turn on security controls shortly before an audit, and turn them off afterward. Could not have said it better myself, Dave. The two points he brings out are, 1) Compliance is not the same as security, and 2) you have to MAINTAIN what is assessed. I had a ...

Herding Cats, April 2008 is out! standard

If you are not a member if the ISSA, click here to go sign up! I am a monthly columnist in the ISSA Journal–the publication for the association. This month I tell you how you can learn something from the Department of Homeland Security and Ron “Tater Salad” White. Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”