- Imagine this situation: You have been told to create your school’s security policies. You research all the components and compile the requirements for notification (continue reading...)
- Dominating many discussions over the last few weeks in payment security circles has been speculation over what the PCI Council, Visa and others will decide about declaring some types of data out-of-scope for PCI (continue reading...)
- Late today (Friday) a preliminary update to the OWASP 10 for 2010 was released (click here). As most of you know, PCI compliance requires (among a bunch of other things...) that all custom (continue reading...)
- With all of the recent fuss about PCI requirements and how to protect payment cards, many companies have opted to take a far too narrow view of data protection. The PCI rules are absolutely designed (continue reading...)
- Visa just released its Cardholder Data Security Best Practices for VisaNet Processors. I think there are some things in this document that you as merchants can use, too. Here are a few (continue reading...)
- I hope you will allow me this personal blog post, but I learned today that David Taylor of the PCI Knowledge Base passed away suddenly Tuesday. Dave was a friend and colleague. I was (continue reading...)
- The Web Application Security Consortium (WASC) today announced the findings of its WASC Web Application Security Statistics Project 2008. Their objective was to pool data from a number of sources to assess (continue reading...)
- One of the hardest parts about payments and PCI is keeping informed of new developments, state laws, emerging threat vectors, and ideas about what may be coming. You are already making a start by (continue reading...)
- Branden Williams writes that Visa and MasterCard have pulled the "reciprocity" from their merchant level definitions (see here). For those of you not up on all the details, I'll try and explain (continue reading...)
- How full is the "junk" folder in your email account? If you are like me, it gets filled faster each day with junk email. Most of these emails are simply, well, junk. But some are (continue reading...)
- I have been working with and talking to a number of schools recently that operate hotels on campus. These hotel operations face particular PCI compliance challenges due to the nature of the hotel business. (continue reading...)
- Those of you with PIN-entry devices (PEDs) at your point of sale (POS) should take a look at Visa's POS PIN Entry Device Vulnerabilities white paper out today. Visa reports on the (continue reading...)
- I have blogged here (see here with comments, and here, and here) and elsewhere about whether “corporate cards” used for travel and purchasing should be in the “issuing” school’s own scope for (continue reading...)
- Day 2 of the PCI Community Meeting is just concluded. We heard from former Representative Tom Davis about the prospects for federal legislation addressing cyber security. My take from the presentation is (continue reading...)
- I'm here in Las Vegas with 650 of my closest PCI friends, including Tom Davis of Indiana Univeristy (For those of you who forgot, we represent NACUBO which is a Participating Organization). The PCI (continue reading...)
- I'm getting ready to head off to the PCI Community Meeting. Tom Davis of IU and I will be there representing NACUBO and the Treasury Institute -- and therefore, YOU. Thanks to those (continue reading...)
- Are we in the "no" business?I have to ask that question because of what I sometimes encounter in PCI assessments and even PCI training. I recommend limiting Internet access or restricting access to cardholder data (continue reading...)
- I previously referenced an article on how to select a QSA. Now there is another article (4 Ways to Get the Most From your PCI QSAs) at Computerworld with similarly good advice. (continue reading...)
- There is a standard benchmark used to calculate the cost of a security breach: about $200 per account compromised. But often the compromise is not based on, say, compromised payment cards. Sometimes (continue reading...)
- The University of Vermont reported that up to 240 university-funded procurement cards appear to have been compromised/breached. I don't know all the details, but it gives me the opportunity to raise two important (continue reading...)