Clik here to view.
Encryption Basics
NOTE: This is a revised version of my original post to reflect readers concerns regarding statements made that do not reflect best practices surrounding encryption key management. A big thank you to...
View ArticleClik here to view.
Hashing Basics
I am catching some heat over the Encryption Basics post from some of my more ardent detractors that have called me on the carpet over making security and PCI “too simple” or “dumbed down.” As I said...
View ArticleClik here to view.
Encryption Key Management Primer – Requirement 3.5
Before getting into key management, it is important to acknowledge that these requirements are not relevant to every encryption solution. In the case of PGP, key management requires the user to create...
View ArticleClik here to view.
2012 Database Threats
I attended a Webinar recently put on by Application Security Inc. regarding the threats to databases for the coming year. If you did not attend it, you missed a good session. But the most disturbing...
View ArticleClik here to view.
When Will The PCI SSC And Card Brands Stop The Mobile Payment Insanity?
This week PayPal introduced Here, their mobile payment processing application for Apple iOS and Android devices. The good news is that PayPal Here at least appears to encrypt cardholder data, but that...
View ArticleClik here to view.
Another Year, Another QSA Re-Certification
It is that time of the year when I have to go through the PCI SSC’s Qualified Security Assessor (QSA) re-certification process. To add to the re-certification process this year, I have been sick for...
View ArticleClik here to view.
Is It ‘WHO’ Or ‘WHAT’ That Is Important?
There is a very active discussion going on in security circles about understanding adversaries and how that impacts security strategy. I have taken a contrarian position in this argument and have...
View ArticleClik here to view.
A Reason Why The PCI Standards Get No Respect
Call it the “Rodney Dangerfield Effect.” Conflicts of interest seem to pervade the PCI compliance process and it is something the PCI SSC and the card brands need to clear up before their precious...
View ArticleClik here to view.
PA-DSS Validation Clarification
On July 23, 2012 we received the following communication from James Barrow, Director of AQM Programs, with the PCI Security Standards Council. I found it worthy of posting so that everyone understands...
View ArticleClik here to view.
Pre-Authorization Data – The Card Brands Weigh In
I just wanted to pass along what I have heard thus far on this topic from the various card brands. I’ll keep updating this post as I get more responses. American Express (aka Trustwave) came back with...
View ArticleClik here to view.
What To Focus On In 2013
It is the end of the year and, like all other pundits, here is another idea on what 2013 will bring in the way of security issues. After reading a lot of the other predictions out there, I tend to...
View ArticleClik here to view.
How The PCI Standards Will Really Die
Welcome to the new year. I hope the holidays have been treating you well and the coming year is good as well. There have been a number of articles written about why and how the PCI compliance process...
View ArticleClik here to view.
Security And Compliance
I have written a lot about this topic over the years and was recently reviewing my Compliance Is Not Security – Busted! post and the comments that came in regarding it. A theme of a number of the...
View ArticleClik here to view.
Compliance, Compliance Testing and Security
I was recently on a Webinar presented by a major security vendor and one of their points was that executive management is finally starting to realize that compliance does not equal security. If you...
View ArticleClik here to view.
The Problems With Big Data
I developed a presentation on big data for a series of education sessions I am delivering for a financial institution trade association. As I was putting the presentation together, I realized that...
View ArticleClik here to view.
Developers Beware – Stripe
A reader pointed out this merchant services provider to me, so I checked it out. I ran into some concerns as I reviewed their documentation that I want to share with you all so that you have a better...
View ArticleClik here to view.
A Preview Of Things To Come
“The new standards are here! The new standards are here!” Well, almost. On Tuesday, August 27, at 11AM EDT and Thursday, August 29, at 2PM EDT, Bob Russo of the PCI SSC will discuss the Summary of...
View ArticleClik here to view.
Mobile Payments Update
This past week, Bob Russo, General Manager of the PCI SSC, held Webcasts to discuss the changes coming to version 3 of the PCI DSS and PA-DSS. For the most part, these Webcasts were nothing special....
View ArticleClik here to view.
The Drafts Are Out
Just a quick note to let everyone know that the drafts of v3 of the PCI DSS and PA-DSS were released today to Participating Organizations (PO) and Qualified Security Assessor Companies (QSAC). In...
View ArticleClik here to view.
The Harsh Reality Of Security
Chris Skinner has a blog entry that asks the question, “Why does the card securities council not care about card security?” What concerns me is the title of the article as it again implies that the...
View Article