Again via Office of Inadequate Security… their link is below.
So Dave & Busters’ FTC settlement is finalized and it illustrates another concern for merchants that aren’t taking a comprehensive approach to security - the burden of being monitored by the FTC.  Here’s the quote from the press release:
The settlement requires Dave & Buster’s to establish and maintain a program designed to protect the security, confidentiality, and integrity of personal information collected from customers. It also requires the company to obtain independent, professional audits, every other year …

After posting about the press release regarding the potential lawsuit (here) I got an email from the PR firm that had sent the release out.  He, in turn, connected me to Charles Hoff - the attorney for the retailer that is considering the suit, Brew HaHa!.  We had a very interesting conversation and, not being a lawyer, I’m not going to make any comments about the merits of any lawsuit that may or may not come from this episode, but, as I said, the conversation was interesting and this is …

The link to the article on StorefrontBacktalk is below (thanks Evan) - this is really interesting.  It appears that VISA is providing an extension to ExxonMobil on the July 1st, 2010 PA-DSS deadline…
This implies two things (as far as I can see):

That the deadline everyone was wondering about is legit - why would ExxonMobil feel the need to negotiate an extension with VISA unless the deadline was going to mean something and VISA was going to enforce it at some meaningful level?
If you are big enough, VISA is going to …

As promised, I’m posting this as a follow-up to this year’s NRF show in NYC.  It is going to be a short post as there really isn’t a lot to talk about from the show, particularly in terms of security or compliance.
The big news this year is that the show didn’t suck.  Someone told me that it was the best attended show (by retailers) in the last 5 years.  I’m not sure if that’s an official ruling from the NRF, but I can certainly attest to the fact that traffic …

This one has some significant implications for software security and the role & responsibility of technology vendors.  Here’s the link:
Radiant Systems and Computer World responsible for breach affecting restaurants – lawsuit
What’s most interesting to me in all of this is that fact that the restaurants seem to ‘get it’ - they understand the holistic impact of PCI on process, procedures, technology, etc. and, after being smacked around by the card brands for being the merchant where the breach occured, they have taken that holistic understanding and are working to hold …

PCI is just so damn interesting - it’s like a soap opera…  Seriously - if you don’t have to deal with it everyday, I’m sure (as a retailer) that you count yourself lucky, but honestly it’s a hoot.
The game at hand is a combination of punishment and liability avoidance - the case of Hannaford is a good example.  Just when you think it’s all over and Hannaford gets to pick up the pieces and move on, everything takes a new twist.  Now the Maine Supreme Court is getting involved and …

So the council sat down in front of Congress today…
Cybersecurity hearing highlights inadequacy of PCI DSS.

Just read a couple of articles on StoreFrontBackTalk from earlier in the month.  Both were written by David Taylor (who started PCI Knowledge Base - www.knowpci.com) and both were good articles.  The one from the 10th had this blurb as one of his recommendations for dealing with security/PCI in a tough economy….
Focus on risk reduction, not fine avoidance
Many organizations set their budgets for PCI compliance based on the avoidance of fines. Thousands of CFOs and other financial executives received letters from their acquiring banks in the last three years threatening …

OK -
This must have been the article that Ms. Amato-McCoy had written to spark the little editorial that I also just posted about.
The article is about Staples and their Information Security Officer - Christopher Dunning.  It is nice to see that Mr. Dunning seems to have the ‘right’ attitude about security (so says me) and isn’t just looking at the endevour as something that needs to be checked off.
PCI is a budget-exercise.  It’s the ‘fundable’ buzzword that finance requires to attach money to security and to give intelligent, business-focused executives …

For some reason, I didn’t see this earlier, but wanted to say ‘kudos’ to Ms. Amato-McCoy.  It’s a short article that just talks about why PCI is important, but as a standard, not as the security end-all that some retailers are still claiming should address all of their security issues.
My favorite quote from the article is at the end - ‘Chains can no longer view security measures simply as a means to achieving some level of “compliance.”
Rather, it is the retailers that take a proactive, foundational approach that will find …