Branden Williams' Security Convergence Blog

Security is not about compliance, it's about building a good program and governance to protect data. VeriSign announced today in conjunction with BSI Americas that VeriSign will be the exclusive firm to provide ISO 27002 readiness assessments that ultimately lead to certification.

The ISO 27002 standard covers Information technology, security techniques and a code of practice for information security management and allows companies that implement it to first focus on security, and then tweak it to deal with compliance. Enterprises faced with multiple compliance initiatives should first focus on good security practices before pushing compliance. This will set up a foundation to maintain compliance every day.

For more information, see the press release above!

Posted by Branden Williams at 07:18 AM | Permalink

According to an interview on 60 Minutes, the National Retail Federation's position (says Dave Hogan, NRF's CIO) is that the Card Associations are at fault for credit card fraud because the card associations require retailers to store consumer's CC data. I can't believe how wrong these guys are and that they are taking the national spotlight to try and scare consumers into believing this lie.

He also says he is not sure how vested the credit card companies are in securing customer data. The funny thing is the whole PCI Standard "thing" came BECAUSE the card associations are interested in securing customer data, not the other way around.

And the notion of fines being a revenue stream are absurd. Look at the amount of cash that issuers and the members of Visa & MC are charged in fraud losses each year. We all hope that these fines go to promoting securing credit card data and lessening the impact of compromises to issuers. Is it? I certainly hope it is not another "Let's get a state lottery to fund public education" bit.

Visa & MasterCard DO NOT require retailers to store customer data. Retailers sometimes do this as a convenience due to some failure in the process, such as a missed transaction. But the real problem comes in the lack of data cleaning and disposal by those collecting it.

There is absolutely no reason to keep a full credit card past settlement.

...

Stop and think about that.

NO REASON to keep the data past settlement. Yet millions of retailers do! Why? Convenience? Cause the "man" is out to get them and withhold revenue?

Nah, more likely, "Because that's the way we have always done it." In fact, we've had customers who have decided that they will just take chargebacks as an acceptable loss because the cost of securing and holding data is too expensive.

Acquirers can and have offered to store data on a retailers behalf, but of course for added cost. Big surprise, security costs! Because so many retailers drive cost through the floor, they accept risk they cannot afford. Did TJX think they would spend over a half billion dollars this year cleaning up after a horrible breach? Probably not.

Mark Rasch is also seen in this piece and is absolutely correct in that retailers do not do enough to help secure data. Why not? Because it is not in their nature!

Retailers are good at retailing, not information security. Identity Theft is forcing retailers to grow security brains and start to implement good controls to protect customers data. Does your company? Is your company taking the "I'm compliant until I'm compromised" stance?

Will it take a TJX like event happening to your company to get the fire started?

Posted by Branden Williams at 06:47 PM | Permalink | Comments (8)

With numerous retailers putting offers both online and in the store, how many of you are making the rush? Maybe because I can remember hitting the mall VERY EARLY in the morning on Black Friday as a kiddo I have never taken part in this. We also have family things going on that day, so it makes it a little bit harder.

My advice to retailers, watch out. As we saw back in July, cards stolen in the TJX breach this year could likely be used on the busiest day of the year. Many years ago, I worked retail and learned to dread the day after Thanksgiving. Even on our busiest times, you could at least walk through the store without having to physically move people out of the way.

With pressure mounting on retailers to deliver big numbers, will they not take a second look at a credit card to help push people through the line? One of the greatest times to use social engineering is when your mark is super busy, and overly distracted. I predict that retailers will see higher amounts of fraud this year for card-present transactions (noting of course that my 2.5 year old son is beating me in the NFL football pool this year, so take my prediction with a grain of salt or two).

And finally, I hope you all have an excellent holiday!

Posted by Branden Williams at 03:43 PM | Permalink

Just got back from London (and I feel fantastic!), and they are really taking an interest in PCI. I found it very interesting that many of the Big 4 are still heavily involved in providing advice about PCI even though they are not Qualified Security Assessment Companies. The funny thing is that the UK seems to be where the US was about three years ago. Still in the discovery phase, and not a ton of C-level attention yet. Until Visa, Inc. puts something like the Compliance Acceleration Program in place over there, it will likely have a very slow adoption rate.

Hopefully Visa will give people at least 24 months notice, and the banks will over-communicate with their merchants so there is not a huge panic 6 months before the deadline.

Posted by Branden Williams at 04:09 PM | Permalink

Yep, more PCI posts.

Visa has just released their new Payment Application Security Mandates which give a new timeline for merchants to use PABP (or now PA-DSS) validates payment applications. If you are using a third party application and it is not validated by July 1, 2010, you will likely be subject to fines by your acquirer.

There are other items leading up to that, but this is the big one for most merchants.

Posted by Branden Williams at 06:35 AM | Permalink

We've all heard speculation, and even speeches where we were told this was coming, but it is now finally one step closer to reality. Today, the PCI Security Standards Council announced the Payment Application Data Security Standard, and its intention to release the new standard by Q1 of 2008. Unfortunately, to my knowledge the PA-DSS is not quite out of draft form yet, and is still sitting with the Members. Once it is clear of that review process, I hope that QSAs will be given an advance copy like we were of the proposed questionnaire. While we are prohibited in sharing the documents with our customers, we can speak to their makeup and how it might affect our them.

Stay tune for more information as it is released!

Posted by Branden Williams at 07:19 AM | Permalink | Comments (1)

PCI-SSC has now announced Italian translations!

Posted by Branden Williams at 06:17 PM | Permalink