The Cart Before the Horse (and you can too!) standard

Clement James writes about a security expert that slams PCI, stating that the breach in the news “was almost certainly the work of hackers exploiting a single code flaw on internal systems.” The expert goes on to say that “PCI takes a relaxed attitude towards internal machines.” While I agree that there is room for improvement on internal controls for PCI, remember, it’s not designed to protect your entire enterprise. It is a basline, and you should layer security on top. The challenge is this: not until the end of last year did we see a compliance validation rate exceeding 60% among Level 1 merchants. If you make the standard too hard, you will have little or no adoption. You ...

Continue Reading

The NRF Goes Past Where the Sidewalk Ends standard

Dude. Seriously. Is anyone at the helm of the National Retail Federation? Did they forget to secure the dock lines on the U.S.S. NRF before they skipped into town for supplies, gleefully quoting Shel Silverstein’s Where the Sidewalk Ends along the way? Let us leave this place where the smoke blows black And the dark street winds and bends. Past the pits where the asphalt flowers grow We shall walk with a walk that is measured and slow, And watch where the chalk-white arrows go To the place where the sidewalk ends. In this recent three question interview with Dave Hogan, CIO of the NRF (courtesy of RIS Executive News Brief), there was either a massive case of misquoting, or ...

Continue Reading

Best way to sum up PCI standard

Andrew Conry-Murray of Information Week writes: Bottom line, PCI compliance is mutable. While a compliance certification is valid for one year, a retailer may perform actions, or fail to perform actions, that take it out of compliance. On the one hand, this is sensible. PCI rules are like the dietary guidelines a doctor issues to a patient. It’s not the physician’s fault if someone with through-the-roof cholesterol ignores advice and eats like Homer Simpson. Could I have said it better? PCI? Program not Project? Homer Simpson? I think not. This is the reason why we created the PCI Program Management offering at VeriSign. This helps customers maintain compliance, and get management confidence that they are compliant every day. Oh yeah, ...

Continue Reading

Electronic “Muddy” Footprints? standard

Sharon Gaudin at Computerworld writes about a new way to use RFID tags. In this article, a new physical security technique is discussed where a worker who walks into a restricted area would pick up hundreds of tiny RFID sensors on their shoes. As they track their feet across the doormat on the way out, sensors pick up that this employee has entered a restricted area, and then release the hounds. Cooler than LED Throwies? You be the judge.

Continue Reading

All QSA’s Are NOT Created Equal! standard

In an unpublished (and scrapped to my knowledge) Top 10 Security Predictions for 2008, I predicted that we would see a breach in 2008 from an entity that had validated compliance (hey, come on…. It’s true, I promise). Does that mean that the standard is not tough enough? Or that companies validating compliance are having a hard time maintaining it? Or possibly that a QSA is not doing their job properly? The first has been discussed at length in the industry. While there are loud detractors to the standard, insiders agree that compliance does not equal security. Compliance is a baseline and security should be layered on top. The PCI standard as it stands is GOOD. Getting companies to comply ...

Continue Reading

See me featured in the March ISSA Journal standard

This month’s issue of the ISSA Journal features my article on simplifying data flows entitled “Data Flows Made Easy.” So far, the feedback has been positive, but what do you think? Also in this issue, the first installment of my monthly column, “Herding Cats: Practical Security Tips for a Wacky World” (Thank YOU Fred Langston!). In here, I explore a simple tip for locating that sensitive data inside your organization. Finally, we have another VeriSign consultant being published this month, Bindu Sundareson’s article entitled “Converged Compliance Management” is included in the March ISSA Journal. Check out the links and read up on the thought leadership that is common in the Global Security Consulting group at VeriSign!

Continue Reading

A SQL Injection Attack! standard

(This post is brought to you today by the letter A). This weekend, I took a hiatus from the computing world and headed down to the family lake house. Time to get ready for summer and clean out all the junk! Well, not junk, but lots of ladybugs for some reason. When we arrived home yesterday, I caught up on my personal email, and noticed that someone posted a comment to my personal blog. Like this blog, when someone comments, I get excited since I’m never sure if anyone is reading. (Please leave comments, it makes me feel useful. Just like all the characters in Sodor want to be.) The comment in particular was an attempt to run a SQL ...

Continue Reading

Rerouting the Boss’s Luggage? standard

StorefrontBackTalk’s Evan Schuman writes about a serious hole in an airport wireless network that could allow people to reroute luggage. Oops… More reasons to carry-on. As it relates to PCI, VeriSign has extensive experience in the travel industry and has dealt with some of the challenges that airlines have. Like a few other industries, it is very unique in its constraints around compliance and security. For instance, something you may not know is that the airports typically own all of the networking and computing equipment used by their tenants. So unlike most companies that have control over the chain of systems that deal with sensitive data, airlines may be forced to start off with a lack of control at the ...

Continue Reading

PCI Security Council releases FAQ standard

The PCI Security Standards Council looks as if they have released that FAQ they have been working on! I can tell you that this is a huge relief for everyone involved (merchants, service providers, QSAs, ASVs, etc.) as the volume of questions that the council was dealing with prevented them from turning around answers quickly. Course, quickly is a relative term. But consider their position. Here at VeriSign, we might submit 1 question every couple of months, but other QSAs may submit more. For every question that VeriSign (or any QSA) submits, they must get buy in on the answer from all 5 members before it can be turned around. You can see how this can easily take days or ...

Continue Reading

Credit Card Security Code Broken by UV Students standard

WJLA News reports that a University of Virginia graduate student and two fellow hackers have cracked code contained in smart cards. Information security rears it’s head again! The company claims they only got a portion of the code, but depending on what they got, it could be enough to launch a feasible attack against those keys. Any reduction in bits can make a huge difference in the time required to retrieve a key. You know, those smart card guys would have gotten away with a sub-par setup if it weren’t for those meddling kids…

Continue Reading