I’ve been traveling a lot lately and, although I’ve read and had lots of commentary about a number of blog posts and news article recently relating to retail security, I haven’t had the time to write them down and post them…
So I’ve decided that I’m going to post a summary of the posts and articles that I’ve read over the last week or so that I’ve thought were interesting and relevant.  This isn’t what I’d really prefer to do - I’d much rather take the opportunity to rant about something …

Short post here, but things always seem to happen in groups, so I thought I’d make everyone aware of a couple of current and upcoming opportunities to dig into a very important topic (particularly during budget season) - Security Metrics.
NetSPI is putting on a webinar tomorrow (Thursday, Aug 26th) with Symantec - here’s the info/sign-up page on their website (full disclosure, if you don’t know by now I work for NetSPI):
Application Security - without metrics it doesn’t exist
And I got the August issue of The ISSA Journal yesterday and the …

I walked into the office this morning and got this in my RSS feed aggregator:
VISA Provides Guidance on Secure Implementation and Management of Payment Applications [link]
After taking a look at the press release and looking through the actual document that VISA (and SANS apparently) produced [link] I think it’s a pretty interesting move on the part of VISA.  If you haven’t yet taken a look and you work for a retailer or a software vendor that sells to the retail space, I’d advise downloading the …

Hey look - another lawsuit….
Well - right now it’s just the threat of a suit…  The information is a bit thin and I’m not sure (based on the press release) whether or not this is a complaint about the software, the implementation of the software, the hardware system, or all of the above.
What it does look like is a bit of a fishing exercise by the law firms - let’s send out the press release, make it general enough that we include just about anyone that even thought about touching the …

The link to the article on StorefrontBacktalk is below (thanks Evan) - this is really interesting.  It appears that VISA is providing an extension to ExxonMobil on the July 1st, 2010 PA-DSS deadline…
This implies two things (as far as I can see):

That the deadline everyone was wondering about is legit - why would ExxonMobil feel the need to negotiate an extension with VISA unless the deadline was going to mean something and VISA was going to enforce it at some meaningful level?
If you are big enough, VISA is going to …

As promised, I’m posting this as a follow-up to this year’s NRF show in NYC.  It is going to be a short post as there really isn’t a lot to talk about from the show, particularly in terms of security or compliance.
The big news this year is that the show didn’t suck.  Someone told me that it was the best attended show (by retailers) in the last 5 years.  I’m not sure if that’s an official ruling from the NRF, but I can certainly attest to the fact that traffic …

This one has some significant implications for software security and the role & responsibility of technology vendors.  Here’s the link:
Radiant Systems and Computer World responsible for breach affecting restaurants – lawsuit
What’s most interesting to me in all of this is that fact that the restaurants seem to ‘get it’ - they understand the holistic impact of PCI on process, procedures, technology, etc. and, after being smacked around by the card brands for being the merchant where the breach occured, they have taken that holistic understanding and are working to hold …

Image by Wonderlane via Flickr

With the Microsoft SharePoint conference having recently taken place, I have been thinking a lot about SharePoint lately (haven’t you?) and about what a powerful and dangerous tool it can be.

Before I get into what I’ve been thinking about, here are a few things to consider:

A Microsoft employee recently told me that SharePoint has been the most rapidly adopted product in Microsoft’s history. While I haven’t been able to confirm this, it doesn’t really matter - what matters is, it’s everywhere and it …

OK - maybe not all of them, but the most common that I’m hearing anyway…
After asking you all to give me some questions for PA-DSS, I finally am getting around to posting up some answers.  Some of them are also taken directly from numerous conversations that I have had with software vendors over the last several months and, truthfully, I’m glad that I waited to put that post together…It’s not entirely retail focused, as PA-DSS crosses most industries, but I hope it proves useful in answering some common questions…
It’s located …

The links are a little messed up, so you might want to wait until about 10AM tomorrow to take a look, but, my newest NetSPI post is up.
Also, if you are interested in understanding a bit more about how PCI impacts industries outside of retail and hospitality or in looking through some more technical posts on penetration testing and the like, I’d tune into the NetSPI blog.  The team has really embraced blogging and collectively we are putting out a very good mix of posts (at least I think so.)
Although …