Sorry - I have been a bit out-of-pocket lately and I haven’t been able to post as frequently as I would like (I’m shooting for basically once per week at least and hopefully a good bit more.)
That being said- this isn’t going to be much of a post - just a quick note to mention that NetSPI’s corporate blog is finally up!   Yeah!
It went live this week, so the volume of content is minimal, but the first posts that are up are very informative and will help to provide some …

Changed the template today (needed something different) and I have some stuff to do still - the Archives are currently not accessible and the RSS feed needs to come back to the top…  Otherwise I think it’s a little easier to read…

So the council sat down in front of Congress today…
Cybersecurity hearing highlights inadequacy of PCI DSS.

Quick statement from RBS in response to a request for information from the Office of Inadequate Security Blog.
RBS WorldPay statement | Office of Inadequate Security.

I’m glad to see that the Council is following through on their commitment to hold assessors to a certain level of work and expertise.
Sadly we run into low-balling competition all the time and it’s sometimes hard to explain to potential clients that there is, really, a difference between what NetSPI provides and what the low-balling competition is actually delivering.
PCI QSA assurance program penalizes assessors.

The webinar that NetSPI put on with VeriFone is up on the VeriFone webex repository.  It requires registration, but they have been very careful with the use of the registration information that they have gathered, so I’m not concerned about it.
The webinar was built to answer some questions for merchants in particular, so this isn’t an overly technical presentation, but it should help shed some light on how PA-DSS differs from PABP and why retailers and online merchants should care about the standard.  It also showcases some of VeriFone’s solutions …

Visa and MasterCard Issue New Breach Warning | Threat Level from Wired.com.
I wonder who it’s going to be….

Here’s another article on the Heartland breach - this one from the NYT.  It’s interesting as Heartland’s founder gave a presentation at the VeriFone payments conference in the fall pushing for some of the end-to-end encryption technology that companies (like VeriFone) are starting to implement.
I wonder if that solution would have successfully addressed this attack.
It is interesting how, at the end of this article, they start to call into question the effectiveness of the whole PCI effort.  Now, if you have read anything that I’ve put up on this blog, …

Since Heartland is a company that has taken a very strong view of security, this is very interesting…
Heartland Payment says system was breached - International Herald Tribune.

Thanks to the guys at PaymentsNews for the heads-up.  Here’s the press release - link
More information is also available here