After posting about the press release regarding the potential lawsuit (here) I got an email from the PR firm that had sent the release out.  He, in turn, connected me to Charles Hoff - the attorney for the retailer that is considering the suit, Brew HaHa!.  We had a very interesting conversation and, not being a lawyer, I’m not going to make any comments about the merits of any lawsuit that may or may not come from this episode, but, as I said, the conversation was interesting and this is …

Hey look - another lawsuit….
Well - right now it’s just the threat of a suit…  The information is a bit thin and I’m not sure (based on the press release) whether or not this is a complaint about the software, the implementation of the software, the hardware system, or all of the above.
What it does look like is a bit of a fishing exercise by the law firms - let’s send out the press release, make it general enough that we include just about anyone that even thought about touching the …

The link to the article on StorefrontBacktalk is below (thanks Evan) - this is really interesting.  It appears that VISA is providing an extension to ExxonMobil on the July 1st, 2010 PA-DSS deadline…
This implies two things (as far as I can see):

That the deadline everyone was wondering about is legit - why would ExxonMobil feel the need to negotiate an extension with VISA unless the deadline was going to mean something and VISA was going to enforce it at some meaningful level?
If you are big enough, VISA is going to …

Here’s the link to a webinar that NetSPI and CoreTrace are doing on April 8th.  So far we have a really good set of attendees and David Gianna, one of NetSPI’s senior consultants and QSAs, is going to be presenting on:

Quick PCI overview, including the role of the PCI Security Standards Council and QSAs; the interrelationship of PCI-DSS, PA-DSS and PED; Merchant-Acquirer-QSA relationship; and the major PCI-DSS requirements
Discussion of PCI compliance versus Information Security and the relationship between each
Baseline view of the operational realities that make …

Thank you to David Navetta - his site is an excellent source of information regarding privacy law and he spends a lot of time putting out very good information about the legal issues surrounding compliance.
FAQ on Washington State’s Impending PCI Law : Info Law Group .

As promised, I’m posting this as a follow-up to this year’s NRF show in NYC.  It is going to be a short post as there really isn’t a lot to talk about from the show, particularly in terms of security or compliance.
The big news this year is that the show didn’t suck.  Someone told me that it was the best attended show (by retailers) in the last 5 years.  I’m not sure if that’s an official ruling from the NRF, but I can certainly attest to the fact that traffic …

I haven’t posted anything forever!!!
Bad Alex!
Well, I’m heading out to another NRF this weekend and I promise that I’ll post something either from the show or shortly thereafter.  It might have something to do with how poorly security is represented at the show (other than at least 25 ‘Instant PCI’ offerings and Trustwave throwing money around…), but we’ll see.
If anyone out there is actually going to be at NRF and is interested in connecting, please let me know - alex.crittenden@yahoo.com - and we’ll figure something out.
Thanks and Happy New Year!
Related …

The Council is hosting a couple of ‘open mic’ webinars for industry stakeholders on the 8th and 9th of December.  They are trying to update the industry following the Community Meeting and get some feedback or questions….
These are typically reserved for Participating Organizations, but for this round they are opening it up to the broader industry…  Here’s the link:
PCI Council Webinar Release

IBM continues to quietly buy up both analytics companies and (more importantly for us) security companies…  After picking up Ounce Labs earlier, IBM has now acquired Guardium.
Guardium - IBM Acquires Guardium.

This one has some significant implications for software security and the role & responsibility of technology vendors.  Here’s the link:
Radiant Systems and Computer World responsible for breach affecting restaurants – lawsuit
What’s most interesting to me in all of this is that fact that the restaurants seem to ‘get it’ - they understand the holistic impact of PCI on process, procedures, technology, etc. and, after being smacked around by the card brands for being the merchant where the breach occured, they have taken that holistic understanding and are working to hold …