Visa Issues Eliminating Cardholder Data Brief standard

Late last night (well for me in Central time), Visa posted a new brief on their CISP website regarding eliminating the storage of prohibited cardholder data. Essentially, this is just another data brief explaining how to look for and remove prohibited data. Prohibited data as defined by the PCI Data Security Standards, Requirement 3.2, includes such things as CVV/CVC Data (as found in the magnetic stripe of the card), CVV2/CVC2/CAV2/CID (3 or 4 digit code in the signature panel or front of the card), and the PIN or PIN Block. According to the brief, there has been a number of compromises recently where prohibited data was stored. For more strategies on eliminating cardholder data, please read my paper entitled “More ...

Continue Reading

WDOCD: Secure File Transfer standard

This episode of What Do Other Companies Do is typed before a live studio audience. The question comes from Bill of Jack’s Joke Shop (Remember, “If it ain’t funny, it ain’t worth jack!”), and he asks: “We’re looking for a large file transfer solution that will secure data in-transit. We have a small I/T shop and Help Desk and do not have the capacity to handle user provisioning & management for a solution, and really don’t want to start managing a file repository with aging requirements. Like most companies, we are subject to various compliance initiatives such as PCI, HIPAA, and GLBA, but our top management has asked us to exceed compliance baselines where possible. What do you see other ...

Continue Reading

Boss, I Think Someone Stole Our Customer Data standard

This month in Harvard Business Review, we finally get a case study that applies to Information Assurance! “Boss, I Think Someone Stole Our Customer Data” ($4 PDF) tells a story that many CEOs fear, and some can give you a first hand account about–a breach of customer data. While the case study does speak in some general terms, it is an excellent table-top exercise to run through during your regularly scheduled incident response plan test. This exercise should include various functional groups such as Legal and Marketing in addition to the traditional security or information technology employees. The case study is written in general terms, and can be used multiple times as the law changes. Possibly Related Posts: Let’s Encrypt ...

Continue Reading

PCI Requirement 8, what about Administrator accounts? standard

I had a customer ask me if they had to make the Administrator account/password comply with Requirement 8 of the PCI Standards. Requirement 8 deals with assigning a unique ID to each person with computer access to those systems dealing with cardholder data. Specifically, no generic or shared accounts should be used–especially those that are administrators! The answer is YES, they must comply with the requirements. What does that mean from an operational standpoint? We see customers attack this from various angles. For those corporate systems, they are typically just disabling the Administrator account, and putting special alerting in place to see if it is ever used (as in something bad is happening, go deploy the calvary). In the case ...

Continue Reading

WDOCD: Secure Tape Destruction standard

For our VERY FIRST installment of “What Do Other Companies Do” (WDOCD), Randy Smith has asked the following: “What specifications do other companies require for Secure Tape Destruction (especially for older tapes that could have pre-encryption account number data). To my understanding PCI does not provide a specification. What standard seems to be “secure enough” for older tapes potentially with unencrypted data? Do you feel that standard is OK to relax when all the account number data is encrypted?” Excellent question Randy! Virtually every company we work with has some sort of destruction policy for media, and it varies from using a bulk eraser, to pulling out the DeWalt and drilling a hole right through it (yes, one company we ...

Continue Reading

What Do Other Companies Do? standard

Well folks, it’s time. Yes, I’ve been running this blog for a whopping month or so, and I just want to see if anyone is reading. So far, the only comments that have been submitted are those for “Biagra” and some “Hot New Penny Stock” that promises to make me rich beyond my wildest dreams. While those are certainly enticing links, I think we could make this much more productive. What I’m looking for is to play a game called “What Do Other Companies Do” (similar to “Spin the Topic Wheel” for any P1s out there). Essentially, I’d like you to email questions to TheSecurityBlog@gmail.com asking how other companies address various security practices. For example, “What do other companies do ...

Continue Reading

More Strategies for Eliminating Cardholder Data standard

Greetings folks. My new article entitles “More Strategies for Eliminating Cardholder Data” has now been published on the VeriSign website. This is an expansion of my previous article which primarily relied on Hashing. Based on clarifications from the card associations, hashing is not a silver bullet (do you know of any that are?) and hashed data is still considered cardholder data. The real risk is that rainbow tables can be created if someone knows how the hash is created. Since the keyspace is so small, the rainbow table creation is rapid. This article expands that and takes a more holistic approach to data elimination and talks about many other strategies. It does not address the culture shift question that someone ...

Continue Reading

Knowing Your Data Flows standard

Going to privacyrights.org will clue you into a large cause of data breaches–the stolen laptop. This type of incident is a repeated example of why knowing where data lives in your enterprise is so vital. When we are called into a customer for PCI consulting services, rarely do we see a holistic approach to understanding data flows. There are certainly experts who know their part, and 80% of the time they are right on. But they often lack an over-arching perspective of the data flows, and are unaware of data flows that lie outside of their bailiwick. The level of documentation required for overarching visibility is considerable, but it is also extremely valuable. Imagine being able to see the entire ...

Continue Reading

Visa Slows Compliance Acceleration Program’s Penalties standard

eWeek is reporting that Visa has announced it is relaxing the fine and fee deadline of September 30th. Essentially, what this means for non-compliant merchants is that the proposed interchange rate hikes are lessened to simply say that non-compliant merchants will not be eligible for the “best available” tiered interchange rates. However, non-compliant retailers are still facing costs potentially in the millions by not being able to qualify for lower rates during the ever important holiday shopping season. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading