• Home
• Reviews
• News
• Downloads
• CNET TV

About me

My posting summary

1 to 3 of 3

My comments

• Credit card security rules adapt to reduce even more risk
  PCI DSS is composed of multiple components and testing procedures to manage risk and protect data (in the effort to reduce fraud). The Internet scan requirements are only a component of the PCI DSS requirements. It's important to recognize that OWASP (or similar) secure coding guidelines ARE REQUIRED (also listed as 5.1 in the Payment Application Best Practices):
  
  "6.5 Develop web software and applications based on secure coding guidelines such as the Open Web Application Security Project guidelines. Review custom application code to identify coding vulnerabilities..."
  
  Testing procedures STILL INCLUDE penetration testing and/or application code reviews.
  
  Positively, as commented, there are creative ways to solve MOST ANY [encryption] challenge, but unfortunately not ALL challenges, which is why we see program improvements -- these are efforts to address more situations and further reduce risk.
  
  MasterCard and Visa (et al) don't "give in" to accept more risk, instead what we are seeing is a private program that's maturing and adapting to the market place. The Card Associations recognize that it would NOT be good for anyone to just reduce one factor/risk (such as business risk) if another factor increased (such as consumer risk). Consumer confidence in the system is what makes the system successful.
  
  A larger adoption of the program results in less risk overall. Everyone's goal is the same here -- to manage and mitigate risk and fraud. No one in the payment process benefits from fraud.

  May 17, 2006

  0 replies

• Sometimes there is a business reason for (some) data to be stored
  This is a very admirable goal, to not store the cardholder data/PAN, for any merchant. Already certain data are NOT permissible to be stored after the authorization for merchants:
  
  * Full magnetic stripe contents (aka, Track Data)
  * 3 or 4 digit security code (CVV2/CVC2/CID)
  * PIN Verification Value (PVV)
  
  PCI DSS manages risk to help protect data and prevent fraud. These items present the most significant risk of fraud when stored. Fraud is much less likely to occur when only a PAN (i.e., credit card number) is compromised.
  
  PCI DSS even agrees that any cardholder data should NOT be retained unless needed. In the current version (v1.0), Requirement 3 states:
  
  "Keep cardholder information storage to a minimum... Limit your storage amount and retention time to that which is required for business, legal, and/or regulatory purposes..."
  
  PCI DSS addresses both online and brick-and-mortar merchants (plus mail and telephone procurement). There will be situations where some merchants will need to store information (sometimes just temporarily). Here are a few examples:
  
  * Subscriptions (where there is a regular reoccurring charge, such as monthly)
  * Store and forward/batch processing
  * Unshipped items for inventory that is not in stock
  * Repeatable purchases
  
  Unique transactions are great in theory; however, the infrastructure to support them is not present in a mass scale. Several service providers (think of gateways) are making strides to help their merchants achieve this goal by using a placeholder for the credit card number or allowing the merchants to store the cardholder data on the service providers systems to allow for repeat charges.
  
  Again, the goal of the new release is not to say Merchants do not have to encrypt information. By definition, compensating controls:
  
  * Need to be "above and beyond" the current requirements
  * Meet the "intent and rigor" of the original requirement
  
  This is NOT an effort to relax the standard, but to respond to a business need in the market place while still limiting risk to data.

  May 17, 2006

  0 replies

• PCI DSS is about managing risk
  To add to the discussion about PCI's movement, I think we should commend the Card Associations for self-regulating as a private industry. The Payment Card Industry Data Security Standard (PCI DSS) was a program developed to manage RISK, not solely SECURITY.
  
  Encryption is always a sensitive topic for professionals passionate about security and business owners seeing price tags for enterprise-grade encryption solutions. Although technology is advancing and encryption solutions are more easily accessible, some organizations are unable to make either a business justification or technological changes to their legacy systems to be able to implement encryption. We, as security professionals, help business owners and decision makers understand WHY encryption is important and how to justify it.
  
  The Card Associations are very responsive to the market. Security companies, such as 403 Labs and other Qualified Vendors/Assessors, work with the Card Associations to help give guidance on new attack patterns, technological advancements, and overall security trends.
  
  Because PCI DSS is a Compliance Program to manage RISK, the highest risks will be addressed first (a calculation based on threat, fraud, and some statistical analyses to which we may not all be privy). As the Program continues to mature, additional SECURITY measures will be required when it becomes more feasible for the mass market to implement them.
  
  As others have alluded to in their responses, encryption is also not the ONLY security measure that an organization should have in place. Security needs to come in the form of a Security Program -- encompassing technology (such as encryption), plus policies, procedures, and education to form a LAYERED model. After all... encryption will only be as secure as its key is protected.
  
  For those of you who are able to encrypt and who continue to strive to be on the leading edge of securing your infrastructure, I commend you. For others, if you're reading this, it means you're already heading in the right direction -- just don't lose focus of your business and the goal.

  May 16, 2006

  0 replies