I started to write a detailed feedback post on the 2010 PCI Community Meeting in Orlando that I attended last week, but realized that there were far more intelligent people than myself already posting, so I’m going to keep my commentary to impressions and general feedback and provide some links to posts that should prove useful for those that are interested in some of the details that came out of the meeting (and what’s coming in PCI / PA 2.0).
To begin with, the entire attitude of the meeting this year …

OK - so I’m on a plane this afternoon (for the 4th week in a row - my wife loves me right now!) heading to Orlando - it’s time for the PCI Community Meeting!
Last year blogging was unofficially encouraged, but there really wasn’t all that much to blog about - this year should prove a bit different given the release of the updated standard.  I’ll try to put together a post or two on relevant and interesting information (that I’m allowed to share), but I’ll also be the moderator on …

I walked into the office this morning and got this in my RSS feed aggregator:
VISA Provides Guidance on Secure Implementation and Management of Payment Applications [link]
After taking a look at the press release and looking through the actual document that VISA (and SANS apparently) produced [link] I think it’s a pretty interesting move on the part of VISA.  If you haven’t yet taken a look and you work for a retailer or a software vendor that sells to the retail space, I’d advise downloading the …

After posting about the press release regarding the potential lawsuit (here) I got an email from the PR firm that had sent the release out.  He, in turn, connected me to Charles Hoff - the attorney for the retailer that is considering the suit, Brew HaHa!.  We had a very interesting conversation and, not being a lawyer, I’m not going to make any comments about the merits of any lawsuit that may or may not come from this episode, but, as I said, the conversation was interesting and this is …

Hey look - another lawsuit….
Well - right now it’s just the threat of a suit…  The information is a bit thin and I’m not sure (based on the press release) whether or not this is a complaint about the software, the implementation of the software, the hardware system, or all of the above.
What it does look like is a bit of a fishing exercise by the law firms - let’s send out the press release, make it general enough that we include just about anyone that even thought about touching the …

The link to the article on StorefrontBacktalk is below (thanks Evan) - this is really interesting.  It appears that VISA is providing an extension to ExxonMobil on the July 1st, 2010 PA-DSS deadline…
This implies two things (as far as I can see):

That the deadline everyone was wondering about is legit - why would ExxonMobil feel the need to negotiate an extension with VISA unless the deadline was going to mean something and VISA was going to enforce it at some meaningful level?
If you are big enough, VISA is going to …

Here’s the link to a webinar that NetSPI and CoreTrace are doing on April 8th.  So far we have a really good set of attendees and David Gianna, one of NetSPI’s senior consultants and QSAs, is going to be presenting on:

Quick PCI overview, including the role of the PCI Security Standards Council and QSAs; the interrelationship of PCI-DSS, PA-DSS and PED; Merchant-Acquirer-QSA relationship; and the major PCI-DSS requirements
Discussion of PCI compliance versus Information Security and the relationship between each
Baseline view of the operational realities that make …

Thank you to David Navetta - his site is an excellent source of information regarding privacy law and he spends a lot of time putting out very good information about the legal issues surrounding compliance.
FAQ on Washington State’s Impending PCI Law : Info Law Group .

As promised, I’m posting this as a follow-up to this year’s NRF show in NYC.  It is going to be a short post as there really isn’t a lot to talk about from the show, particularly in terms of security or compliance.
The big news this year is that the show didn’t suck.  Someone told me that it was the best attended show (by retailers) in the last 5 years.  I’m not sure if that’s an official ruling from the NRF, but I can certainly attest to the fact that traffic …

I haven’t posted anything forever!!!
Bad Alex!
Well, I’m heading out to another NRF this weekend and I promise that I’ll post something either from the show or shortly thereafter.  It might have something to do with how poorly security is represented at the show (other than at least 25 ‘Instant PCI’ offerings and Trustwave throwing money around…), but we’ll see.
If anyone out there is actually going to be at NRF and is interested in connecting, please let me know - alex.crittenden@yahoo.com - and we’ll figure something out.
Thanks and Happy New Year!
Related …