Branden R. Williams, Business Security Specialist

Automatic Fuel Dispensers & Skimming standard

Visa just released slides from a webinar on Automatic Fuel Dispensers (AFDs) as it relates to skimming. Looking at the pictures they included, this is something we all could easily be victims of as there do not appear to be any external signs that you are becoming a victim of foul play (thanks Shane!). AFDs are notorious for having these kinds of issues simply because there is not someone watching over them like a cashier does at a traditional Point of Sale (POS). We’ve seen examples of this occurring in ATMs as well. Not only is this a call to duty for AFD manufacturers to become compliant with PED and PA-DSS standards, but it is a call for merchants using ...

USA Today warns of Evil Twins standard

While sitting in the Courtyard this morning in Sterling, VA, I saw that Dan Frost of the USA Today is warning of the Evil Twin problem with wireless networks…. again. I seem to remember seeing this pop up in the past, but this problem has been around as long as wireless has been in cafes. So, watch out…. again! Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Protect Your Internet Traffic! standard

One of our consultants brought a great write up on Dan Egerstad, the Swedish security consultant who set up a series of Tor servers designed to promote anonymous browsing. Unfortunately, the organizations deciding to adopt Tor forget that unencrypted traffic can still be read, captured, and exploited. This brings up an interesting trend though. Why are people still not protecting their internet traffic? I’m not talking about browsing around and picking up the next Super Mario Bros game at Amazon, but using Outlook for email via POP3/IMAP. Compound this with the problem that most people are remiss in using unique passwords for your key accounts, and you can see how a nefarious organization with a little bit of technology could ...

Blackberry War? standard

Todd Wilkens posted about his personal war against Blackberries this month. As a consultant, it is not only hard to conduct meetings (where we are getting paid by the hour) with customers when this happens, but I have been tempted to do the same thing as well! I think we all tune out at some point when it comes to meetings, especially those after lunch ones. What I’m interested to know is if anyone has ever suffered a breach due to a lost blackberry. With the amount of scrutiny over email these days, I know that some caution is taken. That said, I also know that humans are lazy people and email is very pointy/clicky. I’ve seen executives forward extremely ...

Why the NRF is dead wrong standard

According to an interview on 60 Minutes, the National Retail Federation’s position (says Dave Hogan, NRF’s CIO) is that the Card Associations are at fault for credit card fraud because the card associations require retailers to store consumer’s CC data. I can’t believe how wrong these guys are and that they are taking the national spotlight to try and scare consumers into believing this lie. He also says he is not sure how vested the credit card companies are in securing customer data. The funny thing is the whole PCI Standard “thing” came BECAUSE the card associations are interested in securing customer data, not the other way around. And the notion of fines being a revenue stream are absurd. Look ...

What will you buy? standard

With numerous retailers putting offers both online and in the store, how many of you are making the rush? Maybe because I can remember hitting the mall VERY EARLY in the morning on Black Friday as a kiddo I have never taken part in this. We also have family things going on that day, so it makes it a little bit harder. My advice to retailers, watch out. As we saw back in July, cards stolen in the TJX breach this year could likely be used on the busiest day of the year. Many years ago, I worked retail and learned to dread the day after Thanksgiving. Even on our busiest times, you could at least walk through the store ...

Back in this side of the world! standard

Just got back from London (and I feel fantastic!), and they are really taking an interest in PCI. I found it very interesting that many of the Big 4 are still heavily involved in providing advice about PCI even though they are not Qualified Security Assessment Companies. The funny thing is that the UK seems to be where the US was about three years ago. Still in the discovery phase, and not a ton of C-level attention yet. Until Visa, Inc. puts something like the Compliance Acceleration Program in place over there, it will likely have a very slow adoption rate. Hopefully Visa will give people at least 24 months notice, and the banks will over-communicate with their merchants so ...

PCI News Flash! Visa releases new Payment Application Mandates! standard

Yep, more PCI posts. Visa has just released their new Payment Application Security Mandates which give a new timeline for merchants to use PABP (or now PA-DSS) validates payment applications. If you are using a third party application and it is not validated by July 1, 2010, you will likely be subject to fines by your acquirer. There are other items leading up to that, but this is the big one for most merchants. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

PCI News Flash! PA-DSS a REALITY! standard

We’ve all heard speculation, and even speeches where we were told this was coming, but it is now finally one step closer to reality. Today, the PCI Security Standards Council announced the Payment Application Data Security Standard, and its intention to release the new standard by Q1 of 2008. Unfortunately, to my knowledge the PA-DSS is not quite out of draft form yet, and is still sitting with the Members. Once it is clear of that review process, I hope that QSAs will be given an advance copy like we were of the proposed questionnaire. While we are prohibited in sharing the documents with our customers, we can speak to their makeup and how it might affect our them. Stay ...

ISSA features “Strategies for Eliminating Cardholder Data” standard

Have you got your ISSA Journal for October in the mail yet? If not, click on over to their website and you will see that they featured my article! Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”