As promised, I’m posting this as a follow-up to this year’s NRF show in NYC.  It is going to be a short post as there really isn’t a lot to talk about from the show, particularly in terms of security or compliance.
The big news this year is that the show didn’t suck.  Someone told me that it was the best attended show (by retailers) in the last 5 years.  I’m not sure if that’s an official ruling from the NRF, but I can certainly attest to the fact that traffic …

The Council is hosting a couple of ‘open mic’ webinars for industry stakeholders on the 8th and 9th of December.  They are trying to update the industry following the Community Meeting and get some feedback or questions….
These are typically reserved for Participating Organizations, but for this round they are opening it up to the broader industry…  Here’s the link:
PCI Council Webinar Release

OK - this is the feedback on the Community Meeting that I had mentioned although it really turned into a philosophical post about what your PCI partners should really be doing for you (hint: being a partner).
This one’s over at the NetSPI blog as well (I swear that I’m still going to be posting over here on a more regular basis, but, since NetSPI’s doing a good job with the blog, I’m going to blend my posts between the two blogs…).  Any feedback is going to have to come here, …

The links are a little messed up, so you might want to wait until about 10AM tomorrow to take a look, but, my newest NetSPI post is up.
Also, if you are interested in understanding a bit more about how PCI impacts industries outside of retail and hospitality or in looking through some more technical posts on penetration testing and the like, I’d tune into the NetSPI blog.  The team has really embraced blogging and collectively we are putting out a very good mix of posts (at least I think so.)
Although …

Every business day I have multiple conversations with software vendors regarding PA-DSS. Some of these vendors are currently being pressured by important clients to address PA-DSS validation. Some are looking at their strategic product investments over the next 18 months including technology, features enhancements, marketing, etc. and are building PA-DSS into their operational model. These two groups are actively moving forward with the PA-DSS validation process. NetSPI is helping them with potential changes to process, documentation, and (if needed) code to make certain that their applications are going to successfully …

Just a reference to another NetSPI blog post that just went up…  link

Here’s a video of Seth Peter, NetSPI’s CTO, presenting to the Minnesota OWASP chapter’s annual half-day conference…

Seth Peter: The Developers Guide to PCI DSS and PA-DSS Requirements from David Bryan on Vimeo.

So my first post for the official NetSPI PCI blog is up there and, true to form, it’s not of a technical nature - merely an observation on how far the impact of PCI reaches.  One of the things that I talk about is how the retail and hospitality communities have gone through something very close to the grieving process in dealing with PCI - now organizations outside of retail and hospitality are starting this process - and it’s just as painful for them as it was for the retail …

Sorry - I have been a bit out-of-pocket lately and I haven’t been able to post as frequently as I would like (I’m shooting for basically once per week at least and hopefully a good bit more.)
That being said- this isn’t going to be much of a post - just a quick note to mention that NetSPI’s corporate blog is finally up!   Yeah!
It went live this week, so the volume of content is minimal, but the first posts that are up are very informative and will help to provide some …

Much of the time, particularly in the retail / hospitality space, compliance is driving security efforts.  I tend to have a problem with security via compliance as it tends to result in an approach that is far too narrow for the overall security of the organization.  I understand the importance of PCI compliance and the need to become and remain compliant (obviously), but I also think that the whole cliche, ‘missing the forest for the trees’, applies really well to a security team that is chasing compliance rather than building …