Legal & Regulatory

PCI Security Policies and You – Part 1

January 7, 2010 - Imagine this situation: You have been told to create your school’s security policies. You research all the components and compile the requirements for notification in your state, but you ... Read more

MasterCard Revises L2 Validation Requirements

December 17, 2009 - If your school has any Level 2 merchants, you might benefit from changes in MasterCard’s merchant level definitions (see here). If you have a Level 2 merchant for Visa, they are also ... Read more

Attack of the Christmas Greeting Cards

December 16, 2009 - The following warning appeared on the SANS Storm Center. Ignore it at your peril! With the holiday season upon us, lots of folks (me included) have elected to send online greeting cards instead of using traditional paper ... Read more

New PCI Column

December 15, 2009 - Those of you who know me know that I have written a number of articles for publication in addition to this Higher Ed PCI blog. This is to let you know that I have started writing a weekly (eek!) ... Read more

The PCI Knowledge Base Continues

December 10, 2009 - As most of you know, David Taylor, founder of the PCI Knowledge Base, died this past October. His work, the PCI Knowledge Base lives on. The website and discusison forums are continuing. Stop by. Search ... Read more

The Dangerous Out-Of-Scope PCI Charade

November 17, 2009 - Dominating many discussions over the last few weeks in payment security circles has been speculation over what the PCI Council, Visa and others will decide about declaring some types of data out-of-scope for PCI purposes. Getting much less attention ... Read more

PCI Update in NACUBO’s Business Officer

November 17, 2009 - The November issue of NACUBO's Business Officer is out with a report from Tom Davis and me on the PCI Community Meeting. You can see it here once its online. Golly, we even got featured ... Read more

Is Your Campus Hotel Targeted?

November 16, 2009 - If you have a hotel on your campus, you should have a look at Visa's Alert on Targeted Hospitality Industry Vulnerabilities. I've blogged about campus hotel PCI issues before (see here and here), but this release highlights ... Read more

Visa Issues FAQ on its Payment Application Mandates

November 16, 2009 - Visa just released a FAQ on its payment application mandates. Visa issued the mandates with two objectives in mind:To eliminate the use of payment applications that are known to be vulnerable to attack or that store prohibited ... Read more

OWASP Top Ten for 2010 Released

November 13, 2009 - Late today (Friday) a preliminary update to the OWASP 10 for 2010 was released (click here). As most of you know, PCI compliance requires (among a bunch of other things...) that all custom code be reviewed so as ... Read more

It’s Not Just For Card Data Any More

November 11, 2009 - With all of the recent fuss about PCI requirements and how to protect payment cards, many companies have opted to take a far too narrow view of data protection. The PCI rules are absolutely designed to only apply to payment ... Read more

Processor Best Practices You Can Use

October 29, 2009 - Visa just released its Cardholder Data Security Best Practices for VisaNet Processors. I think there are some things in this document that you as merchants can use, too. Here are a few examples with my comments/observations:Entities ... Read more

A Personal Note

October 28, 2009 - I hope you will allow me this personal blog post, but I learned today that David Taylor of the PCI Knowledge Base passed away suddenly Tuesday. Dave was a friend and colleague. I was privileged to know and work ... Read more

Is Your Web App Secure? Really?

October 20, 2009 - The Web Application Security Consortium (WASC) today announced the findings of its WASC Web Application Security Statistics Project 2008. Their objective was to pool data from a number of sources to assess the vulnerability of web applications ... Read more

Keeping Informed

October 20, 2009 - One of the hardest parts about payments and PCI is keeping informed of new developments, state laws, emerging threat vectors, and ideas about what may be coming. You are already making a start by reading this blog (c'mon...what did ... Read more

PCI Merchant Levels Cleared or Confused?

October 20, 2009 - Branden Williams writes that Visa and MasterCard have pulled the "reciprocity" from their merchant level definitions (see here). For those of you not up on all the details, I'll try and explain what's going on.Let's ... Read more

Operation Phish Phry

October 8, 2009 - How full is the "junk" folder in your email account? If you are like me, it gets filled faster each day with junk email. Most of these emails are simply, well, junk. But some are phishing emails sent by ... Read more

Your Campus Hotel and PCI

October 6, 2009 - I have been working with and talking to a number of schools recently that operate hotels on campus. These hotel operations face particular PCI compliance challenges due to the nature of the hotel business. That is, they hold ... Read more

POS PIN-entry Vulnerabilities

October 5, 2009 - Those of you with PIN-entry devices (PEDs) at your point of sale (POS) should take a look at Visa's POS PIN Entry Device Vulnerabilities white paper out today. Visa reports on the increasing number of thefts of ... Read more

Purchasing, Travel, and Corporate Cards and PCI Scope – Some Closure!

September 25, 2009 - I have blogged here (see here with comments, and here, and here) and elsewhere about whether “corporate cards” used for travel and purchasing should be in the “issuing” school’s own scope for PCI. In other ... Read more

Copyright © 2010 The Security Blog. All rights reserved.
Web Statistics Homeland Security blogs & blog posts