December 10, 2009 - As most of you know, David Taylor, founder of the PCI Knowledge Base, died this past October. His work, the PCI Knowledge Base lives on. The website and discusison forums are continuing. Stop by. Search (continue reading...) Read more
December 4, 2009 - Good friend Anton Chuvakin (aka, Security Warrior) along with co-author Branden Williams have released their book "PCI Compliance." If you go to Anton's website (click here) you will see a discount code good for (continue reading...) Read more
December 1, 2009 - The PCI Security Standards Council is inviting all payment industry stakeholders -- yes, that includes YOU -- to attend their next “Open Mic” webinar. Typically, these sessions are reserved for Participating Organizations, but (maybe as a holiday present?) the (continue reading...) Read more
November 30, 2009 - I recommend you take a look at Linda McGlasson's post 'Tis the Season for Thieving. There is some good advice for all, both for your campus security (check out the warnings on fake bank transfers) and (continue reading...) Read more
November 20, 2009 - I saw this post at the ha.ckers.org site describing how a particular domain name - com.com - was up for sale. While that might be in itself interesting to you or not, one part of that post caught (continue reading...) Read more
November 17, 2009 - Dominating many discussions over the last few weeks in payment security circles has been speculation over what the PCI Council, Visa and others will decide about declaring some types of data out-of-scope for PCI purposes. Getting much less attention (continue reading...) Read more
November 17, 2009 - The November issue of NACUBO's Business Officer is out with a report from Tom Davis and me on the PCI Community Meeting. You can see it here once its online. Golly, we even got featured (continue reading...) Read more
November 16, 2009 - If you have a hotel on your campus, you should have a look at Visa's Alert on Targeted Hospitality Industry Vulnerabilities. I've blogged about campus hotel PCI issues before (see here and here), but this release (continue reading...) Read more
November 16, 2009 - Visa just released a FAQ on its payment application mandates. Visa issued the mandates with two objectives in mind:To eliminate the use of payment applications that are known to be vulnerable to attack or that store prohibited (continue reading...) Read more
November 13, 2009 - Late today (Friday) a preliminary update to the OWASP 10 for 2010 was released (click here). As most of you know, PCI compliance requires (among a bunch of other things...) that all custom code be reviewed so as (continue reading...) Read more
November 11, 2009 - With all of the recent fuss about PCI requirements and how to protect payment cards, many companies have opted to take a far too narrow view of data protection. The PCI rules are absolutely designed to only apply to payment (continue reading...) Read more
October 29, 2009 - Visa just released its Cardholder Data Security Best Practices for VisaNet Processors. I think there are some things in this document that you as merchants can use, too. Here are a few examples with my comments/observations:Entities (continue reading...) Read more
October 20, 2009 - The Web Application Security Consortium (WASC) today announced the findings of its WASC Web Application Security Statistics Project 2008. Their objective was to pool data from a number of sources to assess the vulnerability of web applications (continue reading...) Read more
October 20, 2009 - One of the hardest parts about payments and PCI is keeping informed of new developments, state laws, emerging threat vectors, and ideas about what may be coming. You are already making a start by reading this blog (c'mon...what did (continue reading...) Read more
October 20, 2009 - Branden Williams writes that Visa and MasterCard have pulled the "reciprocity" from their merchant level definitions (see here). For those of you not up on all the details, I'll try and explain what's going on.Let's (continue reading...) Read more
October 6, 2009 - I have been working with and talking to a number of schools recently that operate hotels on campus. These hotel operations face particular PCI compliance challenges due to the nature of the hotel business. That is, they hold (continue reading...) Read more
October 5, 2009 - Those of you with PIN-entry devices (PEDs) at your point of sale (POS) should take a look at Visa's POS PIN Entry Device Vulnerabilities white paper out today. Visa reports on the increasing number of thefts of (continue reading...) Read more
October 5, 2009 - Visa has just released a pdf on data field encryption, aka end-to-end encryption. You can download it here.There has been a lot of interest in this technology which was featured as a potentially game-changing technology at (continue reading...) Read more
September 25, 2009 - I have blogged here (see here with comments, and here, and here) and elsewhere about whether “corporate cards” used for travel and purchasing should be in the “issuing” school’s own scope for PCI. In other (continue reading...) Read more
September 24, 2009 - Day 2 of the PCI Community Meeting is just concluded. We heard from former Representative Tom Davis about the prospects for federal legislation addressing cyber security. My take from the presentation is that such legislation is not (continue reading...) Read more