Branden Williams' Security Convergence Blog

Have you got your ISSA Journal for October in the mail yet? If not, click on over to their website and you will see that they featured my article!

Posted by Branden Williams at 12:25 PM | Permalink

A Visa informational release Friday revealed that 65% of Level 1 merchants have now validated their PCI compliance. This is really no big surprise based on the acceleration program (CAP) that was put into place in December of last year. The message to the remaining 35% is pretty clear.

You are now in the minority.

While I am sure those merchants affected by PCI are well aware of their compliance programs, this may be that final driver to get top level buy in so that projects are appropriately funded and tracked. Most companies we work with have plans, but no support.

Let's go to compliance!

Posted by Branden Williams at 10:17 AM | Permalink | Comments (1)

USA Today published a rather comical headline last week about airport security and security screening -- Most fake bombs missed by screeners.

FAKE bombs.

Wouldn't you want to let FAKE bomb parts pass through and catch the ACTUAL bomb parts? I'm not sure what this study shows. Does it show that the TSA is doing their job well? Hard to say. I think it would be interesting if they redid the study (with some kind of get out of jail free card) with ACTUAL bomb parts. I can only hope that they would be stopped.

Posted by Branden Williams at 12:55 PM | Permalink | Comments (1)

The card associations are sternly scolding non-compliant merchants this year, and the attention around PCI related issues has never been greater. Why is it so hard to comply? Surely merchants have some level of security around their customer data, otherwise there would be a compromise every week. Is it technology? Is it cost? Or is it just a lack of motivation from the top down to wrap up these compliance projects?

This year, we released a paper that reviewed 60 Reports On Compliance from 50 of our customers over a 15 month period. What surprised us was that what we perceived as one of the easiest requirements to meet--PCI Req 11.2, perform quarterly scans internally & externally--was the TOP failure! Why would something that is such a relatively easy process cause the most failure among our customers?

This issue has a relatively simple fix in our minds, though we also validated common industry buzz on items that are not. Logging and encryption continue to cripple companies pushing towards PCI compliance. Both of these issues require well thought out strategies that must encompass the entire enterprise to fully implement. Point solutions rarely if ever work in the long term, and their nature tends to cause short term gains to turn into long term costs.

Inside this paper, we explore many of these issues, and provide free tips on how to make smart decisions on becoming compliant with the PCI Data Security Standards without breaking the bank. Any company that is affected by PCI can take this paper to their organization for practical ideas on how to reduce the impact PCI has on their business.

Download this paper here!

Posted by Branden Williams at 02:55 PM | Permalink

In a website posting yesterday, Visa clarified on their Merchants page the requirements around quarterly network scans. From their site....

The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Acquirers are responsible for ensuring that the quarterly network security scans required of their levels 1, 2, and 3 merchants are performed by an Approved Scanning Vendor. The Quarterly Network Security Scan is applicable to merchants with externally-facing IP addresses as specified by their acquirer. Quarterly Network Security Scans are not required of merchants that do not have externally-facing IP addresses.

We've had some questions around quarterly scans recently, so thanks for the clarification!

Posted by Branden Williams at 06:15 AM | Permalink