For those of you paying attention - I’m sure that you’ve already seen this announcement and probably taken a cursory look through the documentation.
I’ve been a bit out-of-pocket recently (a combination of famility vacation & working on projects with some of our large retail and retail technology clients), but wanted to make sure that I made note of this information from VISA in case you hadn’t seen it.
Sorry - that’s it, but as we get through the next crazy week (it’s Black Hat after all…) I’ll try to be more …

Why am I posting this on a retail infosec blog?  Because of the last two paragraphs:
… Why does Reddit use a Gmail account for this purpose, anyway? One of the site’s moderators answers: “When we were much, much smaller (no mail server, etc) it was the easiest way for several people to get to the feedback account at the same time, and it stuck.”
So there you have it: as the company grows, it should continually update its security practices, otherwise it might find that certain …

Again via Office of Inadequate Security… their link is below.
So Dave & Busters’ FTC settlement is finalized and it illustrates another concern for merchants that aren’t taking a comprehensive approach to security - the burden of being monitored by the FTC.  Here’s the quote from the press release:
The settlement requires Dave & Buster’s to establish and maintain a program designed to protect the security, confidentiality, and integrity of personal information collected from customers. It also requires the company to obtain independent, professional audits, every other year …

After posting about the press release regarding the potential lawsuit (here) I got an email from the PR firm that had sent the release out.  He, in turn, connected me to Charles Hoff - the attorney for the retailer that is considering the suit, Brew HaHa!.  We had a very interesting conversation and, not being a lawyer, I’m not going to make any comments about the merits of any lawsuit that may or may not come from this episode, but, as I said, the conversation was interesting and this is …

Hey look - another lawsuit….
Well - right now it’s just the threat of a suit…  The information is a bit thin and I’m not sure (based on the press release) whether or not this is a complaint about the software, the implementation of the software, the hardware system, or all of the above.
What it does look like is a bit of a fishing exercise by the law firms - let’s send out the press release, make it general enough that we include just about anyone that even thought about touching the …

The link to the article on StorefrontBacktalk is below (thanks Evan) - this is really interesting.  It appears that VISA is providing an extension to ExxonMobil on the July 1st, 2010 PA-DSS deadline…
This implies two things (as far as I can see):

That the deadline everyone was wondering about is legit - why would ExxonMobil feel the need to negotiate an extension with VISA unless the deadline was going to mean something and VISA was going to enforce it at some meaningful level?
If you are big enough, VISA is going to …

Here’s the link to a webinar that NetSPI and CoreTrace are doing on April 8th.  So far we have a really good set of attendees and David Gianna, one of NetSPI’s senior consultants and QSAs, is going to be presenting on:

Quick PCI overview, including the role of the PCI Security Standards Council and QSAs; the interrelationship of PCI-DSS, PA-DSS and PED; Merchant-Acquirer-QSA relationship; and the major PCI-DSS requirements
Discussion of PCI compliance versus Information Security and the relationship between each
Baseline view of the operational realities that make …

The Council is hosting a couple of ‘open mic’ webinars for industry stakeholders on the 8th and 9th of December.  They are trying to update the industry following the Community Meeting and get some feedback or questions….
These are typically reserved for Participating Organizations, but for this round they are opening it up to the broader industry…  Here’s the link:
PCI Council Webinar Release

I’m posting this up here again - I realize that a lot of people have already seen this, so it’s not new, but since some very detailed questions popped up in a conversation this week regarding wireless and PCI I thought I’d put it out there again…
Information Supplements - PCI Security Standards Council.

If anyone is heading out to the PCI Community Meeting in Las Vegas next week and wants to connect, let me know (best way to connect is via email. Several of us from NetSPI are heading out to participate in the meeting and I’m looking forward to an informative meeting.
I’ll be at the meeting Tuesday through Thursday evening so let me know. I’ll also try post after getting back from the meeting with anything interesting or useful that I find out. One of the other …