It’s good to see a ‘vendor’ understanding that providing a secure solution is extremely valuable to the retail community…
VeriFone Takes Lead in Securing Card Payments with PA-DSS
Will Only Provide PA-DSS Audited Payment Applications in Initiative that Supports New Rules Governing PCI Compliance for All Levels of Merchants
VeriFone Takes Lead in Securing Card Payments with PA-DSS - MarketWatch.

Good article on the Compliance Dymystified blog…
PCI Blog - Compliance Demystified » Blog Archive » Technology is not the answer to compliance.

It’s interesting that in this very educated, very suspicious society, we still at times need some help in understanding the hidden agendas of the organizations that we work with.
In the world of information security (particularly in the retail space) things are still a little ‘Wild West’ as there are not a lot of well-defined boundaries between consulting, selling product, and auditing. This creates an interesting environment where conflict of interest issues abound.
There are two areas in particular that I think it is extremely important to understand properly:

A PCI consultant …

Interesting article for Hospitality Technology.  It’s a pretty goodpiece on taking responsibility for the data that you collect and useand it’s got the right focus - your brand and the consumer.
Theonly thing that I would take a little bit of an issue with is theattitude of compliance being more than security.  I think this is theway that a lot of tech guys understand security - it’s locking down thenetwork, managing passwords, and encryption.  The definition of‘Security’ needs to be understood at the business level - securityisn’t just technical, it’s not …

This is an article on Storefrontbacktalk that think everyone should see…  PA-DSS is a very misunderstood situation at the moment and has a LARGE number of software vendors suddenly scrambling for certification.
Their scrambling successfully (or unsuccessfully) is going to have real impact on the PCI standing and security posture of the entire retail community.  There are currently only 16 consulting organizations in the US that are performing this work and, as my employer (NetSPI) was one of the first 8 on the list, we are heavily focused on this aspect …

This is an early version of a position paper that I am working on, but I thought it might be interesting to throw out here and see what initial reactions are to the general ideas presented. To summarize very rapidly - in my opinion, investing in security is an extremely efficient way to utilize corporate funds even in a down economy. Here’s the initial draft document. Again, this is a ‘position paper’ not a full white paper, so it’s pretty high level…
Also, there are Return-On-Security-Investment (ROSI) strategies …

This was a quick press release I saw on RIS News’s email newsletter.  I actually need to get up to speed with the solution that Urban Outfitters selected (Interceptas), but regardless, there was a quote from John Kyees (CFO) that I thought was really interesting -
“Urban Outfitters’ success is driven by our commitment to understand our customers and connect with them on an emotional level,” says John Kyees, CFO, Urban Outfitters. “When shopping on our Web sites, customers want a quick and hassle-free experience. Taking a tougher stance against e-commerce …

Another good ‘essay’ from Bruce - the general idea of using ROI as a measure of judging good vs. bad investments doesn’t fly perfectly when it comes to security since so much is based on potential risk rather than solid numbers.
This is a post that CFO’s need to read (and more importantly understand) as I often run into IT or IS personnel that are fighting with finance to fund projects and programs that they can’t ‘guarantee’ are going to save the company money - they are mitigating risk…
This is another …

I’m late here, but another very good article from StorefrontBacktalk regarding the Hannaford breach and the reaction from Bill Homa.
StorefrontBacktalk - Former Hannaford CIO: Avoid Microsoft And Change PCIs Encryption Rules.
I think this one paragraph is particularly interesting:
As for the oft-repeated song that Hannaford was breached while PCI compliant indicates some sort of a PCI indictment, Homa said it comes down to two things: “Either the standards weren’t strong enough or the assessor wasn’t doing his job.”
I think this is an interesting statement for a couple of reasons - first …

Today I got RISNews’ Cross Channel Insights newsletter in my email inbox and the first article I notice is this one…
Enhancing Online Security: U.S. Consumers Lose Nearly $8.5 Billion to Online Threats | | RIS Cross-Channel Retailing Insights: Targeted Articles for Multi-Channel Retailing, E-Tail, and Web Analytics.
Interesting article about a online consumer threats (not really PCI-related) that are affecting online purchasers in a big way. The funny thing - the next article on the newsletter is this one -
High Gas Prices Drive More Shoppers Online This Holiday Season
So, online …