Much of the time, particularly in the retail / hospitality space, compliance is driving security efforts.  I tend to have a problem with security via compliance as it tends to result in an approach that is far too narrow for the overall security of the organization.  I understand the importance of PCI compliance and the need to become and remain compliant (obviously), but I also think that the whole cliche, ‘missing the forest for the trees’, applies really well to a security team that is chasing compliance rather than building …

Seth Peter, NetSPI’s CTO participated in a webinar on Preventing Multi-Vector Attacks with Eric Schultze from Shavlik.  When two very technical security CTOs get together there is a concern (a legitimate concern) that things are going to be unmanageably technical, but it actually turned out to be a great event.  It was very conversational and did a very good job of highlighting some of the concerns involved in dealing with sophisticated attacks.
With that said, it might not be the sort of content that you are going to want to ask …

I have spoken with a number of companies over the last several weeks that are preparing themselves to go through the PA-DSS assessment process (software providers, not security firms) and they all are trying to understand the level of priority that they need to set.  Particularly smaller firms are trying to come to grips with the fact that they are now required to go through an expensive, potentially disruptive assessment process that they didn’t have to address previously.
It only makes sense that they all end up asking the question, ‘are …

I have a longer post that I’ve held off on so far regarding the Savvis lawsuit and it’s potential impact on the retail community, but, as I hash through that effort (and try to make it a little less ‘rangey’), I thought I’d put this out…
If you are unfamiliar with the Savvis suit, the details can be found in this article from Kim Zetter (link).  It’s an interesting read and does a really good job of summarizing the situation and the potential impacts to the PCI community.  For those of …

For those software vendors out there that are digging into PA-DSS and what it means for their organization, please read on.  This is not an in-depth discussion of PA-DSS, just a couple of things that have been popping up repeatedly for me in conversations with your peers - things that sometimes need clarification or that should be mentioned.  Stuff You Probably Should Know About PA-DSS

It’s not PABP - this may sound obvious, but I’m going to repeat it - PA-DSS is not PABP.  Accept this fact - if your assessment …

So the council sat down in front of Congress today…
Cybersecurity hearing highlights inadequacy of PCI DSS.

Tim over at nCircle posted this blog entry on his blog (The Lens).  Pretty interesting thoughts on PCI and the situation with Coleman’s breach issues.
PCI and Politics (The Lens).

Quick statement from RBS in response to a request for information from the Office of Inadequate Security Blog.
RBS WorldPay statement | Office of Inadequate Security.

I’m glad to see that the Council is following through on their commitment to hold assessors to a certain level of work and expertise.
Sadly we run into low-balling competition all the time and it’s sometimes hard to explain to potential clients that there is, really, a difference between what NetSPI provides and what the low-balling competition is actually delivering.
PCI QSA assurance program penalizes assessors.

OK - I should be adding some content here, but this short post on Anton Chuvakin’s blog is too good.  If you are in retail IT and ‘compliance’ has been ‘given’ to you (aren’t you lucky), you need to read this post and follow the links….
Anton Chuvakin Blog - “Security Warrior”: Tales From the “Compliance First” World.