OK - this has nothing to do with security, but I stumbled across this article this morning and had to share.
Having worked with large retail organizations for years implementing technology solutions (and now providing security services) it’s sometimes pretty easy to think of these giant companies as having always been massive, multi-national organizations.
In truth, they all began as a store-front or two, founded by individuals with a vision for their store and how they would succeed.  The culture and the value-proposition that these initial founders established are what have allowed …

I’ve been traveling a lot lately and, although I’ve read and had lots of commentary about a number of blog posts and news article recently relating to retail security, I haven’t had the time to write them down and post them…
So I’ve decided that I’m going to post a summary of the posts and articles that I’ve read over the last week or so that I’ve thought were interesting and relevant.  This isn’t what I’d really prefer to do - I’d much rather take the opportunity to rant about something …

Short post here, but things always seem to happen in groups, so I thought I’d make everyone aware of a couple of current and upcoming opportunities to dig into a very important topic (particularly during budget season) - Security Metrics.
NetSPI is putting on a webinar tomorrow (Thursday, Aug 26th) with Symantec - here’s the info/sign-up page on their website (full disclosure, if you don’t know by now I work for NetSPI):
Application Security - without metrics it doesn’t exist
And I got the August issue of The ISSA Journal yesterday and the …

This is a good, quick article from Wired in response to some recent news stories that the wireless carriers were trying to do an end-around on the credit card companies.  Some one finally got around to doing some actual investigation on what the carriers were doing and it’s not an end-around, Discover’s highly involved.
The article also talks about why the major card brands work and attempts at breaking the system and introducing a new model for credit cards (none of which have yet worked)…  Not really a security article, but …

This morning I read the short article that I link to below.  It’s focused on firewall management and review which is a topic that I think many retail and hospitality organizations should be paying more attention to.
The study in the article was sponsored by a vendor that provides firewall management solutions (go figure), but it doesn’t mean that the message isn’t an important one - firewalls are easy to forget about once you
have them in place and (particularly in retail and hospitality) there are so many things that your network …

Why am I posting this on a retail infosec blog?  Because of the last two paragraphs:
… Why does Reddit use a Gmail account for this purpose, anyway? One of the site’s moderators answers: “When we were much, much smaller (no mail server, etc) it was the easiest way for several people to get to the feedback account at the same time, and it stuck.”
So there you have it: as the company grows, it should continually update its security practices, otherwise it might find that certain …

After posting about the press release regarding the potential lawsuit (here) I got an email from the PR firm that had sent the release out.  He, in turn, connected me to Charles Hoff - the attorney for the retailer that is considering the suit, Brew HaHa!.  We had a very interesting conversation and, not being a lawyer, I’m not going to make any comments about the merits of any lawsuit that may or may not come from this episode, but, as I said, the conversation was interesting and this is …

The link to the article on StorefrontBacktalk is below (thanks Evan) - this is really interesting.  It appears that VISA is providing an extension to ExxonMobil on the July 1st, 2010 PA-DSS deadline…
This implies two things (as far as I can see):

That the deadline everyone was wondering about is legit - why would ExxonMobil feel the need to negotiate an extension with VISA unless the deadline was going to mean something and VISA was going to enforce it at some meaningful level?
If you are big enough, VISA is going to …

This one has some significant implications for software security and the role & responsibility of technology vendors.  Here’s the link:
Radiant Systems and Computer World responsible for breach affecting restaurants – lawsuit
What’s most interesting to me in all of this is that fact that the restaurants seem to ‘get it’ - they understand the holistic impact of PCI on process, procedures, technology, etc. and, after being smacked around by the card brands for being the merchant where the breach occured, they have taken that holistic understanding and are working to hold …

So everyone knows at this point that AT&T has acquired VeriSign’s global security consulting business.  I’m not really sure why AT&T actually bought them although I’m sure that they have some sort of Grand Plan, much the same way that Verizon had when they acquired Cybertrust and all of the other companies that they bought over the years… 
What seems to really happen is that these large firms that don’t have a focus on security see an opportunity and spend a bunch of money to acquire well-known brands and, far …