Quick statement from RBS in response to a request for information from the Office of Inadequate Security Blog.
RBS WorldPay statement | Office of Inadequate Security.

I’m glad to see that the Council is following through on their commitment to hold assessors to a certain level of work and expertise.
Sadly we run into low-balling competition all the time and it’s sometimes hard to explain to potential clients that there is, really, a difference between what NetSPI provides and what the low-balling competition is actually delivering.
PCI QSA assurance program penalizes assessors.

The webinar that NetSPI put on with VeriFone is up on the VeriFone webex repository.  It requires registration, but they have been very careful with the use of the registration information that they have gathered, so I’m not concerned about it.
The webinar was built to answer some questions for merchants in particular, so this isn’t an overly technical presentation, but it should help shed some light on how PA-DSS differs from PABP and why retailers and online merchants should care about the standard.  It also showcases some of VeriFone’s solutions …

Yeah - this is just a post with other links in it again…….
Seurosis
Payment Systems Blog
Terminal23
Washington Post

Here’s another article on the Heartland breach - this one from the NYT.  It’s interesting as Heartland’s founder gave a presentation at the VeriFone payments conference in the fall pushing for some of the end-to-end encryption technology that companies (like VeriFone) are starting to implement.
I wonder if that solution would have successfully addressed this attack.
It is interesting how, at the end of this article, they start to call into question the effectiveness of the whole PCI effort.  Now, if you have read anything that I’ve put up on this blog, …

Since Heartland is a company that has taken a very strong view of security, this is very interesting…
Heartland Payment says system was breached - International Herald Tribune.

OK - I should be adding some content here, but this short post on Anton Chuvakin’s blog is too good.  If you are in retail IT and ‘compliance’ has been ‘given’ to you (aren’t you lucky), you need to read this post and follow the links….
Anton Chuvakin Blog - “Security Warrior”: Tales From the “Compliance First” World.

As I mentioned in a previous post, NRF is coming up and, for those of us that have been in the retail technology space for a number of years, this is a big deal.  It’s the one show that tends to draw important retailers and important executives.
With that in mind, I’m going to be doing a couple of things as NRF gets closer:

Posting on some topics of importance for 2009 in retail security
Posting to tools, articles, and other areas of particular interest to retailers that are getting ready for 2009
I’m …

It’s good to see a ‘vendor’ understanding that providing a secure solution is extremely valuable to the retail community…
VeriFone Takes Lead in Securing Card Payments with PA-DSS
Will Only Provide PA-DSS Audited Payment Applications in Initiative that Supports New Rules Governing PCI Compliance for All Levels of Merchants
VeriFone Takes Lead in Securing Card Payments with PA-DSS - MarketWatch.