Clik here to view.
Pre-Authorization Data
After a number of interactions with a variety of people over the last few weeks, it has become obvious that the concept of pre-authorization data is not clear to a lot of people. And just because it...
View ArticleClik here to view.
How Did It Happen?
This is just my supposition on how the Target breach occurred, but it is based on what has been released to date plus what limited knowledge I have of Target’s environment, the environments of other...
View ArticleClik here to view.
An Open Letter To Executives
I apologize for not posting anything recently, but I have been busy dealing with my taxes, QSA re-certification and clients. Over the years that has involved dealing with people that I would like to...
View ArticleClik here to view.
Keeping It Simple – Part 1
Apparently, I struck a nerve with small business people trying to comply with PCI. In an ideal world, most merchants would be filling out SAQ A, but we do not live in an ideal world. As a result, I...
View ArticleClik here to view.
Interested In Business As Usual?
I am encountering more and more organizations that are interested in business as usual or BAU. Organizations are finally realizing that the only way they are ever going to feel secure is to embed...
View ArticleClik here to view.
Do Not Jump To Conclusions
A QSA apparently posed a question to the Council regarding the scope of wireless headsets used in a client’s call centers. In this case, the headsets rely on DECT technology. The response from the...
View ArticleClik here to view.
Lawyer Or Security Professional?
“It depends upon what the meaning of the word ‘is’ is. If ‘is’ means ‘is and never has been’ that’s one thing – if it means ‘there is none’, that was a completely true statement.” –President of The...
View ArticleClik here to view.
The ASV Process Is Broken – Part 3
So what are my ideas on fixing the ASV process? Modify The ASV Program The conditions that drove the ASV process originally made sense. Vulnerability scanning tools were predominately open source and...
View ArticleClik here to view.
Security Or Checking A Box?
“Better to remain silent and be thought a fool than to speak out and remove all doubt.” Abraham Lincoln What is your organization interested in? Security or checking a box? Not surprisingly, most...
View ArticleClik here to view.
PCI Compliance Is Getting More Rigorous
When Visa and MasterCard trotted out their security standards back in 2002 and 2003, the large eCommerce merchants that got to see them complained that they were too much. Fast forward more than a...
View ArticleClik here to view.
SSL Is Officially Declared Dead
On January 30, 2015, QSAs received the latest edition of the Council’s Assessor Newsletter. Buried in that edition was the following statement. “Notice: PCI DSS and PA-DSS v3.1 Revisions Coming In...
View ArticleClik here to view.
Council Surveys QSAs On SSL
This message popped into my inbox late yesterday. The survey in question contains the following questions. All of my clients have gotten rid of SSL on their public facing Web sites. The dilemma we have...
View ArticleClik here to view.
They Are Just Words
QSAs get asked a lot of “what ifs”. If I do ‘A’, will that result in ‘B’? What if I do ‘C’, will that accomplish ‘D’? If I do ‘E’, will that cause ‘F’? Where this really hits hard is when an...
View Article