March-April 2015 Roundup standard

Shush it. I know it’s been a little slow around here. There are some major things in the works! I started a new gig, for one, which is consuming the bulk of my time. I’m also working on a 3.1 addendum to our book, which should be out by the summer. March and April were some busy months for many of us. Three major shows (MAC, ETA, and RSA Conference) all happened in those months. PCI DSS 3.1 was released. You paid your taxes (hopefully). Here’s what you folks liked the most last month: The Only Customer Service Script You Will Ever Need. Maybe the economy is heating up? Who knows why this one is still at the top. Regardless, ...

Continue Reading

Verizon Report should be a Wake Up Call for the PCI SSC standard

Verizon recently released their annual state of PCI Compliance Report, which attempts to give a snapshot of current issues in the space as well as trending data over previous years. To summarize the report, the state of PCI Compliance is “not good.” It’s now 2015, more than 10 years after the first release of the standard, and we continue to struggle with compliance rates. In a Computer Weekly article, the GM of the Council says that “wake-up call for every business that cares about payment security.” Respectfully, I think that the results in this report should be a wake-up call for the Council. These findings combined with lower than expected compliance rates and continued breaches (none of which came from compliant merchants) ...

Continue Reading

Banks & Merchants are not ready for EMV standard

EMV, or that fancy chip thingie that many of you are starting to see in your banking cards here in the US, is an anti-fraud technology released in the 90s with global adoption. US markets are finally taking steps to encourage adoption here, and for the most part, nobody is ready. There is a key date coming up in October of this year. Essentially, merchants who have invested in EMV terminals that are capable of processing a transaction (meaning, the EMV slot can’t just be for show) will benefit from protections if counterfeit cards are used at their location. If they don’t, they are unable to seek relief for chargebacks coming from fraudulent charge reports. It’s the carrot method for ...

Continue Reading

Updates to the Definition of Cardholder Data Post standard

I wrote a post in 2009 that is now the all-time, third most popular post on this blog entitled, The Definition of Cardholder Data. I wrote it after leaving the 2009 PCI Community Meeting where there was more bickering and positioning on what constitutes cardholder data than I had ever seen. My experiences there prompted the post, and I figured it was time to go back and revisit it for PCI DSS 3.0. Go check out the updates and see if it is any more helpful! On a side note, I have formally accepted a new, exciting position with an amazing company. More on that in the coming weeks! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September ...

Continue Reading

February 2015 Roundup standard

How much snow do you have? Can it be measured in feet or inches? February kept piling it on for many of you, and it even affected the kids here in Texas! Snow days! Don’t forget, the latest edition of our book finally hit the shelves. Thanks for sending pictures of you with your new books! If you need to order your copy, head over to the website at www.pcicompliancebook.info. Here’s what you folks liked the most last month: The Only Customer Service Script You Will Ever Need. It’s the holidays, and possibly the time when we encounter trouble with transactions the most. Thus, more people inquiring about customer service! Check out this diversion from security that will make you ...

Continue Reading

The Impacts of Breaches: New Research! standard

Part of the reason why I went through the enlightening process of my third run through academia as a learner was to be able to contribute research back to the field. I’m happy to announce that my first paper is now public for download. Available for download through the Merchant Acquirers’ Committee is this piece that examines the economic impacts of breaches entitled, The Impacts of Breaches: A Survey of MAC Members on the Realities of Data Breaches. In it, I reveal research that helps to explain some of the economic realities of breaches. Here’s a preview, it’s not as bad as you probably think! I’ve also built an academic manuscript for this paper which goes into much more detail ...

Continue Reading

Life Saving Aviation Tips Applied to InfoSec standard

I came across this humorous little collection of life saving aviation quotes. As a pilot, it’s good to have these little quips tucked away for when things move away from straight and level. A good friend of mine pointed out that he often used one of these quotes in InfoSec-related keynotes he gave, and I thought I’d share some here with InfoSec commentary! Aviate, Navigate, Communicate. When the proverbial crap his the fan, information security professionals may be the key to keeping a company safe (or the catalyst to a bad situation) from a data loss. As a pilot, when things go wrong you have to remember to fly the plane, navigate it to a safe place, and tell controllers ...

Continue Reading

January 2015 Roundup standard

January is gone and football is over. There have not been too many posts around here to speak of, but it’s a new year! I will have good news soon, so stay tuned! Don’t forget, the latest edition of our book finally hit the shelves. Thanks for sending pictures of you with your new books! If you need to order your copy, head over to the website at www.pcicompliancebook.info. Here’s what you folks liked the most last month: The Only Customer Service Script You Will Ever Need. It’s the holidays, and possibly the time when we encounter trouble with transactions the most. Thus, more people inquiring about customer service! Check out this diversion from security that will make you think ...

Continue Reading

New Whitepaper: Preventing Terminal Tampering standard

PCI DSS 3.0 is here, and from what I can see it appears that companies are scrambling to get the pieces in place to appease their assessors. One of those biggies is new requirement 9.9, which switches from a best practice to a requirement in the middle of this year. If you are just now starting to take a look at how this will affect your compliance programs, I’m afraid to say that you are behind. There are plenty of resources available for you to get into the technical, nitty-gritty components of this requirement. What I found was missing was a business discussion on the options your firm has to meet this requirement. I’m happy to announce a new whitepaper ...

Continue Reading

What am I missing? Outsource payments today! standard

I always enjoy meeting with colleagues in the industry as I learn something every time. I’ve had a chat with a few of you out there and I’m trying to figure out why more companies continue to insource their payment processing and complain about PCI DSS and breaches as opposed to just outsourcing. Thinking back to some of the challenges in previous jobs, I may have helped answer it thanks to a conversation yesterday morning. All providers of IT services want their customers to integrate their product or service into internal IT systems. It creates stickiness and makes it hard to change vendors. Tools like anti-virus, DLP, SIEM, and knowledge management platforms that achieve some level of integration rarely are ...

Continue Reading