I have a longer post that I’ve held off on so far regarding the Savvis lawsuit and it’s potential impact on the retail community, but, as I hash through that effort (and try to make it a little less ‘rangey’), I thought I’d put this out…
If you are unfamiliar with the Savvis suit, the details can be found in this article from Kim Zetter (link).  It’s an interesting read and does a really good job of summarizing the situation and the potential impacts to the PCI community.  For those of …

OK, if you are reading this, you’ve managed to find one of the most ‘remote’ security blogs out there - written by someone (me) that is not a security pro or an auditor.  I’m just a guy with a couple of decades of experience with retail, hospitality, and the relevant technologies that is now working for a very focused, very accomplished security consulting firm.  It’s been a good fit as my experiences working with retailers (from the very large to the very small) and their vendors marries up quite well …

I haven’t posted here in some time, but I’m going to make a concerted effort to get back at it.  I’ve just been working on a ton of stuff recently and the blog has suffered because of it…  Alas…
I thought I’d post this very short article from Chain Store Age regarding the Food Marketing Institute’s stance on the recent interchange increases.  One thing I’ve never really seen is how the interchange rate has been affected by security issues - has it gone up directly because of security breaches?  has any …

So the council sat down in front of Congress today…
Cybersecurity hearing highlights inadequacy of PCI DSS.

Quick statement from RBS in response to a request for information from the Office of Inadequate Security Blog.
RBS WorldPay statement | Office of Inadequate Security.

I’m glad to see that the Council is following through on their commitment to hold assessors to a certain level of work and expertise.
Sadly we run into low-balling competition all the time and it’s sometimes hard to explain to potential clients that there is, really, a difference between what NetSPI provides and what the low-balling competition is actually delivering.
PCI QSA assurance program penalizes assessors.

This is not a retail - specific story, but is certainly relevant…
OK - I spend a lot of time working with executives to help them understand that although PCI and related compliance requirements are tangible, mentally ‘packageable’ concepts that can be (relatively) easily understood (at least at a high level) by the company as a whole, they are just the beginning of what should be looked at in terms of security.
So much of what we do is to open people’s eyes to what a real, operational approach to security can …

Yeah - this is just a post with other links in it again…….
Seurosis
Payment Systems Blog
Terminal23
Washington Post

Here’s another article on the Heartland breach - this one from the NYT.  It’s interesting as Heartland’s founder gave a presentation at the VeriFone payments conference in the fall pushing for some of the end-to-end encryption technology that companies (like VeriFone) are starting to implement.
I wonder if that solution would have successfully addressed this attack.
It is interesting how, at the end of this article, they start to call into question the effectiveness of the whole PCI effort.  Now, if you have read anything that I’ve put up on this blog, …

Since Heartland is a company that has taken a very strong view of security, this is very interesting…
Heartland Payment says system was breached - International Herald Tribune.