This morning I read the short article that I link to below.  It’s focused on firewall management and review which is a topic that I think many retail and hospitality organizations should be paying more attention to.
The study in the article was sponsored by a vendor that provides firewall management solutions (go figure), but it doesn’t mean that the message isn’t an important one - firewalls are easy to forget about once you
have them in place and (particularly in retail and hospitality) there are so many things that your network …

Again via Office of Inadequate Security… their link is below.
So Dave & Busters’ FTC settlement is finalized and it illustrates another concern for merchants that aren’t taking a comprehensive approach to security - the burden of being monitored by the FTC.  Here’s the quote from the press release:
The settlement requires Dave & Buster’s to establish and maintain a program designed to protect the security, confidentiality, and integrity of personal information collected from customers. It also requires the company to obtain independent, professional audits, every other year …

After posting about the press release regarding the potential lawsuit (here) I got an email from the PR firm that had sent the release out.  He, in turn, connected me to Charles Hoff - the attorney for the retailer that is considering the suit, Brew HaHa!.  We had a very interesting conversation and, not being a lawyer, I’m not going to make any comments about the merits of any lawsuit that may or may not come from this episode, but, as I said, the conversation was interesting and this is …

Hey look - another lawsuit….
Well - right now it’s just the threat of a suit…  The information is a bit thin and I’m not sure (based on the press release) whether or not this is a complaint about the software, the implementation of the software, the hardware system, or all of the above.
What it does look like is a bit of a fishing exercise by the law firms - let’s send out the press release, make it general enough that we include just about anyone that even thought about touching the …

Thank you to David Navetta - his site is an excellent source of information regarding privacy law and he spends a lot of time putting out very good information about the legal issues surrounding compliance.
FAQ on Washington State’s Impending PCI Law : Info Law Group .

As promised, I’m posting this as a follow-up to this year’s NRF show in NYC.  It is going to be a short post as there really isn’t a lot to talk about from the show, particularly in terms of security or compliance.
The big news this year is that the show didn’t suck.  Someone told me that it was the best attended show (by retailers) in the last 5 years.  I’m not sure if that’s an official ruling from the NRF, but I can certainly attest to the fact that traffic …

I haven’t posted anything forever!!!
Bad Alex!
Well, I’m heading out to another NRF this weekend and I promise that I’ll post something either from the show or shortly thereafter.  It might have something to do with how poorly security is represented at the show (other than at least 25 ‘Instant PCI’ offerings and Trustwave throwing money around…), but we’ll see.
If anyone out there is actually going to be at NRF and is interested in connecting, please let me know - alex.crittenden@yahoo.com - and we’ll figure something out.
Thanks and Happy New Year!
Related …

This one has some significant implications for software security and the role & responsibility of technology vendors.  Here’s the link:
Radiant Systems and Computer World responsible for breach affecting restaurants – lawsuit
What’s most interesting to me in all of this is that fact that the restaurants seem to ‘get it’ - they understand the holistic impact of PCI on process, procedures, technology, etc. and, after being smacked around by the card brands for being the merchant where the breach occured, they have taken that holistic understanding and are working to hold …

Image by Wonderlane via Flickr

With the Microsoft SharePoint conference having recently taken place, I have been thinking a lot about SharePoint lately (haven’t you?) and about what a powerful and dangerous tool it can be.

Before I get into what I’ve been thinking about, here are a few things to consider:

A Microsoft employee recently told me that SharePoint has been the most rapidly adopted product in Microsoft’s history. While I haven’t been able to confirm this, it doesn’t really matter - what matters is, it’s everywhere and it …

OK - this is the feedback on the Community Meeting that I had mentioned although it really turned into a philosophical post about what your PCI partners should really be doing for you (hint: being a partner).
This one’s over at the NetSPI blog as well (I swear that I’m still going to be posting over here on a more regular basis, but, since NetSPI’s doing a good job with the blog, I’m going to blend my posts between the two blogs…).  Any feedback is going to have to come here, …