Seth Peter, NetSPI’s CTO participated in a webinar on Preventing Multi-Vector Attacks with Eric Schultze from Shavlik.  When two very technical security CTOs get together there is a concern (a legitimate concern) that things are going to be unmanageably technical, but it actually turned out to be a great event.  It was very conversational and did a very good job of highlighting some of the concerns involved in dealing with sophisticated attacks.
With that said, it might not be the sort of content that you are going to want to ask …

For those software vendors out there that are digging into PA-DSS and what it means for their organization, please read on.  This is not an in-depth discussion of PA-DSS, just a couple of things that have been popping up repeatedly for me in conversations with your peers - things that sometimes need clarification or that should be mentioned.  Stuff You Probably Should Know About PA-DSS

It’s not PABP - this may sound obvious, but I’m going to repeat it - PA-DSS is not PABP.  Accept this fact - if your assessment …

Tim over at nCircle posted this blog entry on his blog (The Lens).  Pretty interesting thoughts on PCI and the situation with Coleman’s breach issues.
PCI and Politics (The Lens).

Quick statement from RBS in response to a request for information from the Office of Inadequate Security Blog.
RBS WorldPay statement | Office of Inadequate Security.

I’m glad to see that the Council is following through on their commitment to hold assessors to a certain level of work and expertise.
Sadly we run into low-balling competition all the time and it’s sometimes hard to explain to potential clients that there is, really, a difference between what NetSPI provides and what the low-balling competition is actually delivering.
PCI QSA assurance program penalizes assessors.

Just read a couple of articles on StoreFrontBackTalk from earlier in the month.  Both were written by David Taylor (who started PCI Knowledge Base - www.knowpci.com) and both were good articles.  The one from the 10th had this blurb as one of his recommendations for dealing with security/PCI in a tough economy….
Focus on risk reduction, not fine avoidance
Many organizations set their budgets for PCI compliance based on the avoidance of fines. Thousands of CFOs and other financial executives received letters from their acquiring banks in the last three years threatening …

OK -
This must have been the article that Ms. Amato-McCoy had written to spark the little editorial that I also just posted about.
The article is about Staples and their Information Security Officer - Christopher Dunning.  It is nice to see that Mr. Dunning seems to have the ‘right’ attitude about security (so says me) and isn’t just looking at the endevour as something that needs to be checked off.
PCI is a budget-exercise.  It’s the ‘fundable’ buzzword that finance requires to attach money to security and to give intelligent, business-focused executives …

PCI Council and Visa See More PCI Compliance - Bank Systems & Technology.

As I mentioned in a previous post, NRF is coming up and, for those of us that have been in the retail technology space for a number of years, this is a big deal.  It’s the one show that tends to draw important retailers and important executives.
With that in mind, I’m going to be doing a couple of things as NRF gets closer:

Posting on some topics of importance for 2009 in retail security
Posting to tools, articles, and other areas of particular interest to retailers that are getting ready for 2009
I’m …

It’s interesting that in this very educated, very suspicious society, we still at times need some help in understanding the hidden agendas of the organizations that we work with.
In the world of information security (particularly in the retail space) things are still a little ‘Wild West’ as there are not a lot of well-defined boundaries between consulting, selling product, and auditing. This creates an interesting environment where conflict of interest issues abound.
There are two areas in particular that I think it is extremely important to understand properly:

A PCI consultant …