This one has some significant implications for software security and the role & responsibility of technology vendors.  Here’s the link:
Radiant Systems and Computer World responsible for breach affecting restaurants – lawsuit
What’s most interesting to me in all of this is that fact that the restaurants seem to ‘get it’ - they understand the holistic impact of PCI on process, procedures, technology, etc. and, after being smacked around by the card brands for being the merchant where the breach occured, they have taken that holistic understanding and are working to hold …

PCI is just so damn interesting - it’s like a soap opera…  Seriously - if you don’t have to deal with it everyday, I’m sure (as a retailer) that you count yourself lucky, but honestly it’s a hoot.
The game at hand is a combination of punishment and liability avoidance - the case of Hannaford is a good example.  Just when you think it’s all over and Hannaford gets to pick up the pieces and move on, everything takes a new twist.  Now the Maine Supreme Court is getting involved and …

Every business day I have multiple conversations with software vendors regarding PA-DSS. Some of these vendors are currently being pressured by important clients to address PA-DSS validation. Some are looking at their strategic product investments over the next 18 months including technology, features enhancements, marketing, etc. and are building PA-DSS into their operational model. These two groups are actively moving forward with the PA-DSS validation process. NetSPI is helping them with potential changes to process, documentation, and (if needed) code to make certain that their applications are going to successfully …

OK - I’ve got a couple of posts that I’ll be putting up shortly - one on some feedback from the PCI Community Meeting and one on that list of questions on PA-DSS.  I’ll try to get them up this weekend (work has been crazy and I just haven’t found/committed the time to get these written), but here’s a link to a post this morning from Deke George on the NetSPI blog regarding acquisitions in the security space.
NetSPI Blog - Mergers & Acquisitions

I’m posting this up here again - I realize that a lot of people have already seen this, so it’s not new, but since some very detailed questions popped up in a conversation this week regarding wireless and PCI I thought I’d put it out there again…
Information Supplements - PCI Security Standards Council.

Postal inspectors uncover MassMutual customer data during ID theft investigation | Office of Inadequate Security

This morning I had an interesting thought - I want to offer up something to anyone that is reading this blog and may have some questions regarding the Payment Application Data Security Standard (PA-DSS.) 
This is an invitation to a ‘passive PA-DSS Q&A session’.  The reason I am calling this ‘passive’ is that this is not going to be a live session - if you have questions regarding the PA-DSS, what certain requirements mean, or how your particular situation affects it’s applicability to you, post it in the comments and …

I have a longer post that I’ve held off on so far regarding the Savvis lawsuit and it’s potential impact on the retail community, but, as I hash through that effort (and try to make it a little less ‘rangey’), I thought I’d put this out…
If you are unfamiliar with the Savvis suit, the details can be found in this article from Kim Zetter (link).  It’s an interesting read and does a really good job of summarizing the situation and the potential impacts to the PCI community.  For those of …

OK, if you are reading this, you’ve managed to find one of the most ‘remote’ security blogs out there - written by someone (me) that is not a security pro or an auditor.  I’m just a guy with a couple of decades of experience with retail, hospitality, and the relevant technologies that is now working for a very focused, very accomplished security consulting firm.  It’s been a good fit as my experiences working with retailers (from the very large to the very small) and their vendors marries up quite well …

So the council sat down in front of Congress today…
Cybersecurity hearing highlights inadequacy of PCI DSS.