I walked into the office this morning and got this in my RSS feed aggregator:
VISA Provides Guidance on Secure Implementation and Management of Payment Applications [link]
After taking a look at the press release and looking through the actual document that VISA (and SANS apparently) produced [link] I think it’s a pretty interesting move on the part of VISA.  If you haven’t yet taken a look and you work for a retailer or a software vendor that sells to the retail space, I’d advise downloading the …

OK - maybe not all of them, but the most common that I’m hearing anyway…
After asking you all to give me some questions for PA-DSS, I finally am getting around to posting up some answers.  Some of them are also taken directly from numerous conversations that I have had with software vendors over the last several months and, truthfully, I’m glad that I waited to put that post together…It’s not entirely retail focused, as PA-DSS crosses most industries, but I hope it proves useful in answering some common questions…
It’s located …

This morning I had an interesting thought - I want to offer up something to anyone that is reading this blog and may have some questions regarding the Payment Application Data Security Standard (PA-DSS.) 
This is an invitation to a ‘passive PA-DSS Q&A session’.  The reason I am calling this ‘passive’ is that this is not going to be a live session - if you have questions regarding the PA-DSS, what certain requirements mean, or how your particular situation affects it’s applicability to you, post it in the comments and …

This was actually the first time that I saw Bruce speak (which is odd since we live in the same metro area) and I must say that I’ve somewhat avoided him as I’m not a big fan of the whole celebrity-like, hyped-up thing (I still haven’t seen Forrest Gump and probably never will), but I thought this was a really good talk and I found myself pleasantly surprised.

Bruce Schneier: The Future of the Security Industry: IT is Rapidly Becoming a Commodity from David Bryan on Vimeo.

Thanks to David Bryan for getting these up!  Here’s another video from the event - this one is the presentation on OpenSAMM - interesting and also very much geared towards development of security applications.  I think this is a great approach, but I have to admit that the practicality is something that I wonder about…

Pravir Chandra: Software Assurance Maturity Model (OpenSAMM) from David Bryan on Vimeo.

Here’s a video of Seth Peter, NetSPI’s CTO, presenting to the Minnesota OWASP chapter’s annual half-day conference…

Seth Peter: The Developers Guide to PCI DSS and PA-DSS Requirements from David Bryan on Vimeo.

Much of the time, particularly in the retail / hospitality space, compliance is driving security efforts.  I tend to have a problem with security via compliance as it tends to result in an approach that is far too narrow for the overall security of the organization.  I understand the importance of PCI compliance and the need to become and remain compliant (obviously), but I also think that the whole cliche, ‘missing the forest for the trees’, applies really well to a security team that is chasing compliance rather than building …

I have to admit that I don’t always see eye-to-eye with the PCI Knowledge Base on their approach to PCI in retail (it’s a philosophical thing - they are very good about accuracy, etc.), but this article was very interesting and, I think, very relevant.
I’m actually involved with a webinar that is going to happen in January that discusses PA-DSS and it’s impact on retail technology strategy and buying decisions over the next 18 months.  In other words, as a retailer, why should I care about PA-DSS….  As it get’s …