I’m putting up this post to let everyone know that the blog is going to be changing very shortly - I’m continuing to do a lot of work with leading retailers on information security initiatives and I’m still paying close attention to retail and payments security, but I’m discovering that some other areas of the business world are also starting to become a large part of my daily work life.

As I grow my involvement in these other areas of business (including the healthcare and software technology verticals), I’m starting to find that I have a lot to say regarding issues important to those other business verticals as well, so I’m going to be expanding the focus of the blog to incorporate some of these additional vertical focuses.  Not moving away from retail (and a lot of the articles are still going to be retail-focused - after all, retail technology has been a very, very important part of my professional career) just expanding the discussion.

This blog address is going to become inactive as of this week and all content will be posted to a new URL - http://www.infosecurecomply.com.  Check it out, send me feedback (positive or negative) and thanks for reading.  I’ll keep the same twitter feed (@alexcrittenden) since it’s my personal twitter feed and I’ve pulled all data from this blog into the new site, so all the articles should still be available (although the images might have gotten messed up a bit in the move.

The blog’s also a new design, so don’t be thrown by that.  Thanks to all for reading RetailInfoSec and please head over to InfoSecureComply to keep things going!  Thank you!!!!

untitled_by_paalia_via_flickr

I started to write a detailed feedback post on the 2010 PCI Community Meeting in Orlando that I attended last week, but realized that there were far more intelligent people than myself already posting, so I’m going to keep my commentary to impressions and general feedback and provide some links to posts that should prove useful for those that are interested in some of the details that came out of the meeting (and what’s coming in PCI / PA 2.0).

To begin with, the entire attitude of the meeting this year was a bit different than in past years - I was surprised at the less ‘aggressive’ posture of both the PCI SSC and the card brands themselves and how willing they were to admit the fact that the standard still doesn’t address everything that it maybe should.  The merchants in attendance this year also seemed to be less upset then in past meetings.  Maybe it’s just that this was not a feedback year, but everyone seemed less tense and I think the SSC made an active effort to promote that more relaxed attitude (which I think was a good idea).

Regardless, it made for a more pleasant meeting - the networking opportunities were more productive and useful for all involved and hallway discussions were certainly more prevalent than in past years which I take as an indication that everyone was feeling a bit less tense than in previous years.

The one discussion that seemed a bit more contentious was the PA-DSS discussion as it remains a standard with some inherent confusion for those organizations that are not ‘typical’ POS providers.  Some of the clarifications that came from the brands and the SSC regarding PA-DSS applicability to non-standard POS were helpful, but there were still a number of good points raised by software vendors that the council acknowledged have not yet been fully addressed.

I will pass on one piece of advice - if you are a company that makes (or uses) a payment application for the iPhone or a similar, non-hardened mobile device I would pay close attention to any opinion the SSC may release and I’d get your PA-QSA or QSA on the phone today to discuss.

Now read this post:

Tony Fulda’s post - What’s New in PCI DSS 2.0 - No Surprise That There Are No Surprises

Tony’s great and his post is both funny and informative as it provides a really good overview of the important points of clarification that were discussed at the meeting regarding PCI.

Some additional posts/links that would prove useful:

Summary of changes from the SSC

The Fact Sheets page for the SSC - they made reference to several documents that will shortly be released, so I’d check back on this page periodically

In Defense of the PCI “No social media” Policy - Martin Mckeay

Full Review of the PCI Community Meeting - Branden Williams

UPDATE - one more post to add:

As you know - I’m not a QSA (nor do I pretend to be one on TV) and while I may work for a leading QSA firm my commentary is going to stay pretty high level, but the links above should provide some very good insight into the meeting.

Related articles by Zemanta

• Payment Card Industry Punts On Key Security Questions (blogs.forbes.com)
• Revisions to Credit Card Security Standard on the Way (pcworld.com)

Having worked with large retail organizations for years implementing technology solutions (and now providing security services) it’s sometimes pretty easy to think of these giant companies as having always been massive, multi-national organizations.

In truth, they all began as a store-front or two, founded by individuals with a vision for their store and how they would succeed.  The culture and the value-proposition that these initial founders established are what have allowed these retailers to grow to the size that they have today.

What I think is interesting is that the retailers mentioned in the article have typically done well over the years when sticking with their core founding principles, but have faltered if they have attempted to change the culture and the attitude of their organization.

Retail, no matter how big, is still a relationship with the consumer and when that relationship changes is can be very difficult to digest for both the retailer and their customer.

Where it all began: chain retailers’ first locations.

Last year blogging was unofficially encouraged, but there really wasn’t all that much to blog about - this year should prove a bit different given the release of the updated standard.  I’ll try to put together a post or two on relevant and interesting information (that I’m allowed to share), but I’ll also be the moderator on a webinar that NetSPI is putting on next week - check the NetSPI website in a day or two.  I’ll also be posting the information here as well once everything is fully finalized.

If you are heading down to the meeting and want to meet-up or grab a beer, let me know -

info@retailinfosec.com.

PCI North American Community Meeting.

Related articles by Zemanta

• Defcon 18: The PCI Panel (mckeay.net)
• PCI DSS versus Y2K (brandenwilliams.com)

So I’ve decided that I’m going to post a summary of the posts and articles that I’ve read over the last week or so that I’ve thought were interesting and relevant.  This isn’t what I’d really prefer to do - I’d much rather take the opportunity to rant about something or to try to explain something that we’ve seen out in the ‘real world’, but sometimes you just don’t have the time, so forgive me my laziness this time around.

Heartland and Discover Agree to Settlement

PCI Compliance - Why Spas, Hotels, and Resorts Can No Longer Ignore IT

NetSPI Blog - Security in the Cloud

Some Additional Commentary on VISA Payment Security Best Practices Guidelines…

The Fed Gets Involved with EMV (I find EMV an interesting topic although I might be alone in this…)

Skimming: Old Crime, New Tools (this one is also interesting to me)

I hope that you find these article interesting and I’ll get back to more comment-rich posting shortly.  Thanks!

Related articles by Zemanta

• European Payments Council Newsletter: New Business Opportunities with Chip and PIN (pindebit.blogspot.com)
• Is U.S. “Wising Up” to Smart Card Use in America? (pindebit.blogspot.com)

Actual is not normal (a tribute to Edward Tufte) - kevindooley via flickr

Short post here, but things always seem to happen in groups, so I thought I’d make everyone aware of a couple of current and upcoming opportunities to dig into a very important topic (particularly during budget season) - Security Metrics.

NetSPI is putting on a webinar tomorrow (Thursday, Aug 26th) with Symantec - here’s the info/sign-up page on their website (full disclosure, if you don’t know by now I work for NetSPI):

Application Security - without metrics it doesn’t exist

And I got the August issue of The ISSA Journal yesterday and the cover story is ‘Security Metrics, An Overview’ by Clare Nelson.  It’s a good starting point for Security Metrics and it provides a good list of sources for additional information.  You’re going to have to be an ISSA member to access the article, but if you are reading this blog you should probably join the ISSA regardless (it’s like $95 a year or something).

The Journal is available to ISSA members for download from the ISSA site - ISSA

I will highlight one of the sources that Clare uses for her article (seriously - join the ISSA and read her article) - the Center for Internet Security - not all of their information is free, but the information that you would need to get started implementing a security metrics program is free - it’ll at least get your conversations started…   CIS

Related articles by Zemanta

• Security Metrics - Is This Network Getting Better? (tenablesecurity.com)

VISA Provides Guidance on Secure Implementation and Management of Payment Applications [link]

After taking a look at the press release and looking through the actual document that VISA (and SANS apparently) produced [link] I think it’s a pretty interesting move on the part of VISA.  If you haven’t yet taken a look and you work for a retailer or a software vendor that sells to the retail space, I’d advise downloading the document and reviewing.

Basically, this guidance provides VISA’s best-practices regarding the implementation and support of payment applications that are already PA-DSS validated.  It appears that some of the recent breaches that have occurred (as per the post here) where the break-down in security may have happened during the implementation of the software or through after-deployment support processes has created some action

untitled_by_paalia_via_flickr

from VISA.

Now - what does this mean for you?

If you are a retailer - I’d say that it provides you a list of items that you are going to want to discuss with your software vendors and their resellers.  Most of the items in the document are something that your vendors should already be doing already, but some will, most likely, not be in place today (the reseller training program is something that I wouldn’t expect everyone to have in place today for example).  Number 6 in the press release is interesting as well - most of the software vendors that I’ve been working with are trying not to force an upgrade on all their retail clients (you’d expect otherwise, but, really, most of the vendors aren’t being pushy about it with their clients as far as I can tell), but in #6 VISA is basically telling the vendors to tell you that you have to upgrade if you have an older, pre-validation, version of their solution.

If you are a software vendor - get ready to spend more money and good luck not being held responsible for the actions of your resellers…  In all honesty - most of the items shouldn’t be a huge stretch (a lot of this is just good application security stuff), but the specific notes regarding the reseller training program makes this interesting.  I’m sure that you already have some sort of program in place for your resellers, but this might be a bit different from your general training - what happens when a reseller installs your solution incorrectly AFTER going through your newly implemented security training program and there is a breach?  Who’s going to take the blame (legally or otherwise) for the incorrect installation?

If you have any comments or insight that you’d like to add - please feel free to comment or send me a note via the contact page.

Also - I’ll be heading down to the PCI SSC meeting in September - look for a post after that trip highlighting some of the changes coming from the council on the PCI DSS.

Related articles by Zemanta

• Visa Releases Global Best Practices for Card Data Tokenization (newswire.ca)
• PCI SSC releases highlights for 2.0 changes (deurainfosec.com)
• Time to plug the PCI compliance gap (channelweb.co.uk)

The article also talks about why the major card brands work and attempts at breaking the system and introducing a new model for credit cards (none of which have yet worked)…  Not really a security article, but one that is highly relevant given the focus on payment security.

Why Your Phone Can’t Really Replace Your Credit Card | Epicenter | Wired.com.

I’ve been a bit out-of-pocket recently (a combination of famility vacation & working on projects with some of our large retail and retail technology clients), but wanted to make sure that I made note of this information from VISA in case you hadn’t seen it.

Sorry - that’s it, but as we get through the next crazy week (it’s Black Hat after all…) I’ll try to be more active on the blog - I’ve got a few thoughts on the recent payment terminal announcements from VISA as you might imagine.  Thanks!

Visa Releases New Guidelines For Protecting Card Data - Network Computing.

Related articles by Zemanta

• Visa Inc. Completes Acquisition of CyberSource (pindebit.blogspot.com)
• Tokenization and Chargebacks (brandenwilliams.com)
• Visa yanks PCI approval from PIN entry kit (go.theregister.com)

The study in the article was sponsored by a vendor that provides firewall management solutions (go figure), but it doesn’t mean that the message isn’t an important one - firewalls are easy to forget about once you

Private Property - via Flickr - mollybob

have them in place and (particularly in retail and hospitality) there are so many things that your network and security people have on their to-do list that seem more pressing today then reviewing your firewall rules…

Now, I’m not supporting the vendor that sponsored this study and wouldn’t have the slightest feedback on its products effectiveness, but I am supporting the concept of reviewing and maintaining your firewall configuration.  The company that I work for does a lot of firewall rule assessment and while we are often engaged in this capacity as part of a client’s normal security operations, that isn’t always the case.  Sometimes it’s because management hasn’t appreciated the need to properly maintain firewall rules and now legitimate network traffic is being affected.

OK - back to the article - what’s also interesting is the implication that a company that is not taking the proper steps to review their firewall rules periodically will run into legal liability issues if they are breached.  They hit this point fairly hard, but don’t really provide much in the way of support for their argument.  However, it’s probably fairly valid - if an organization doesn’t manage their firewalls effectively (and isn’t able to demonstrate that they are doing so) it certainly could be something that a lawyer might latch onto …

The Perils of Firewall Security | CTO Edge.

Related articles by Zemanta

• One in 10 IT professionals cheat in audits (computing.co.uk)
• McAfee updates firewall hardware for enterprises (news.cnet.com)