This morning I read the short article that I link to below.  It’s focused on firewall management and review which is a topic that I think many retail and hospitality organizations should be paying more attention to.
The study in the article was sponsored by a vendor that provides firewall management solutions (go figure), but it doesn’t mean that the message isn’t an important one - firewalls are easy to forget about once you
have them in place and (particularly in retail and hospitality) there are so many things that your network …

Why am I posting this on a retail infosec blog?  Because of the last two paragraphs:
… Why does Reddit use a Gmail account for this purpose, anyway? One of the site’s moderators answers: “When we were much, much smaller (no mail server, etc) it was the easiest way for several people to get to the feedback account at the same time, and it stuck.”
So there you have it: as the company grows, it should continually update its security practices, otherwise it might find that certain …

After posting about the press release regarding the potential lawsuit (here) I got an email from the PR firm that had sent the release out.  He, in turn, connected me to Charles Hoff - the attorney for the retailer that is considering the suit, Brew HaHa!.  We had a very interesting conversation and, not being a lawyer, I’m not going to make any comments about the merits of any lawsuit that may or may not come from this episode, but, as I said, the conversation was interesting and this is …

The link to the article on StorefrontBacktalk is below (thanks Evan) - this is really interesting.  It appears that VISA is providing an extension to ExxonMobil on the July 1st, 2010 PA-DSS deadline…
This implies two things (as far as I can see):

That the deadline everyone was wondering about is legit - why would ExxonMobil feel the need to negotiate an extension with VISA unless the deadline was going to mean something and VISA was going to enforce it at some meaningful level?
If you are big enough, VISA is going to …

This one has some significant implications for software security and the role & responsibility of technology vendors.  Here’s the link:
Radiant Systems and Computer World responsible for breach affecting restaurants – lawsuit
What’s most interesting to me in all of this is that fact that the restaurants seem to ‘get it’ - they understand the holistic impact of PCI on process, procedures, technology, etc. and, after being smacked around by the card brands for being the merchant where the breach occured, they have taken that holistic understanding and are working to hold …

So everyone knows at this point that AT&T has acquired VeriSign’s global security consulting business.  I’m not really sure why AT&T actually bought them although I’m sure that they have some sort of Grand Plan, much the same way that Verizon had when they acquired Cybertrust and all of the other companies that they bought over the years… 
What seems to really happen is that these large firms that don’t have a focus on security see an opportunity and spend a bunch of money to acquire well-known brands and, far …

PCI is just so damn interesting - it’s like a soap opera…  Seriously - if you don’t have to deal with it everyday, I’m sure (as a retailer) that you count yourself lucky, but honestly it’s a hoot.
The game at hand is a combination of punishment and liability avoidance - the case of Hannaford is a good example.  Just when you think it’s all over and Hannaford gets to pick up the pieces and move on, everything takes a new twist.  Now the Maine Supreme Court is getting involved and …

Lawsuit: Heartland Knew Data Security Standard was ‘Insufficient’ | Office of Inadequate Security.

OK - I’ve got a couple of posts that I’ll be putting up shortly - one on some feedback from the PCI Community Meeting and one on that list of questions on PA-DSS.  I’ll try to get them up this weekend (work has been crazy and I just haven’t found/committed the time to get these written), but here’s a link to a post this morning from Deke George on the NetSPI blog regarding acquisitions in the security space.
NetSPI Blog - Mergers & Acquisitions

This is a pretty funny list - although maybe more sad than funny due to the fact that it’s pretty dead-on…
Anton Chuvakin Blog - “Security Warrior”: Top PCI DSS Security Marketing Annoyances.