What’s the craic on KRACK? standard

For those who are not familiar with the Irish slang, read this. We got another fun named vulnerability this week that goes after WPA2 encryption, something that is ubiquitous but not impenetrable. Key Reinstallation Attacks, or KRACK for short, exposes a weakness in the WPA2 protocol. It’s an attack on the protocol itself, so anything that is unpatched and properly implemented to the Wi-Fi and WPA2 standard is vulnerable. Patches are already well on their way to being released and deployed. But this problem is going to stick around for a long time like Shellshock and Heartbleed. Many Wi-Fi hotspots are running outdated firmware that cannot be upgraded in some cases. Just like Shellshock and Heartbleed, the only way to ...

Continue Reading

Why PCI DSS 4.0 Needs to be a Complete Rewrite standard

The last month has been tough for our coastal regions and based on what forecasts show for the rest of the season, we’re not out of the woods. If you have not donated to those affected by these massive storms, please consider doing so today. The group that received my donations this time around is Direct Relief, but there are plenty to choose from. Thankfully, the Council canceled the Community meeting due to Irma (albeit, probably two days too late). It was the right decision. Hopefully, the vendors who have spent money with the Council will get some kind of relief for this year. Given that the conference didn’t happen, there was a missed opportunity to discuss the future of PCI ...

Continue Reading

Equifax is only half the problem, your SSN needs a redesign! standard

The Social Security Number in the United States is the closest thing we have to a national identification system. It’s widely used to deal with the government, open lines of credit, and serves as the unique ID for a tax payer. It’s effectively your financial and governmental digital footprint identifier from which all actions are compared. Great, right? We can use it to ensure people pay their taxes, connect bank records and large financial transactions to an identity, ferret out money laundering and illicit business, and get a personal balance sheet on anyone who has credit. Except, once that number is disclosed, it’s disclosed. Unlike a payment card number, there is no wide-scale method to reissue a social security number. Like ...

Continue Reading

Orfei Steps Down standard

In a rather surprise announcement, admittedly from a guy who is farther and farther removed from the PCI DSS ecosystem with each passing day, The PCI Council announced that Steven Orfei is stepping down as GM. His tenure was rather brief, in comparison to Russo, but it’s a thankless job that probably gets even more thankless every passing day. I wonder who will be next to steer the ship?

Continue Reading

Blockchain Fun standard

Two posts in one week? What is this, 2009? I’ve always been interested in payment and commerce. Blockchain and crypto-currencies have really captured my attention lately as the business applications are many and game-changing. I just published an article on the topic in this month’s Tactics & Preparedness that reviews some of the basics for folks who are not familiar with the technology. When people talk about the future of payments, you can’t leave the topic out. It’s certainly more exciting than anything PCI DSS can throw out there! For those looking for more, check out this great literature review by Peter Bailis, Arvind Narayanan, Andrew Miller, and Song Han. Blockchain isn’t just for Bitcoin!

Continue Reading

Should you be a PCI Participating Organization? standard

What does it cost to be a PO? As if this writing it costs US$3,750 annually (originally US$2,000), For most companies, $3,750 per year is a drop in the bucket. Originally, the big benefit of being a PO was getting involved in the shaping of the Standard when the program was launched. Big changes meant huge benefits from collaboration as firms were dramatically overhauling their technology stack to comply with PCI DSS. The Standard was new, generated lots of questions, and early adopters needed collaboration. PO Benefits Review Let’s take a look at the current benefits on the PCI Council’s website. […] the opportunity for advance review of standards and supporting materials before release, with the opportunity to provide comments directly to the ...

Continue Reading

Did you pre-order a Plastc? You might be able to recover your money! standard

Anyone who participates in a pre-order situation like Kickstarter or IndieGoGo is playing a little bit of a game of chance with their money. The most recent example is from a company called Plastc, which I have written about here in this blog before. Unfortunately, it appears they have run out of money and vanished with $9M of pre-orders and no product to deliver. Depending on how you paid for this order, you may be able to recover the $135 to $155 you put in as a deposit. Companies like American Express stand behind their consumers and I know of one person who was able to get his deposit back. Other companies may have different policies. Regardless, I hope that ...

Continue Reading

Is All Good News REALLY Good News? standard

Have you noticed that there has not been too much (well, really any) bad press around the PCI ecosystem lately? Perhaps everything is great! Doesn’t seem like we’ve had the same string of retail breaches that we saw in 2014 (which lead to this piece of research), even though 2016 was bad (good?) in general for cybercrime. A quick data dump from PrivacyRights.org says there are around 100 related to cards since 2016, but some appear to be duplicates (Wendy’s is reported multiple times). Of course, we found out about more problems at IHG last week. Seems like big security bloggers still talk about breaches, but we don’t see the same questions around PCI DSS that we did in 2014-2015. Individuals certified or ...

Continue Reading

The PCI Council’s Revenue Generation Capability standard

The other day I was thinking about all the programs that the Council currently maintains and I wondered if it was possible to see how much money the Council actually brings in every year. I mean, every year seems to see more programs with more fee collection opportunities for the Council, but had anyone ever added all that up? So I got to researching. I started with the usual sources: LexisNexis, Hoovers, Dun & Bradstreet, and found very little information. Only one report by Dun & Bradstreet, who is notoriously inaccurate when dealing with privately held firms, of around $3.7M in 2016. Then I headed over to the IRS’s website to see if the Council had ever filed a form ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!