I really wish I had the time to fully explore the idea, but there’s a certain amount of resonance between the criticisms Adrian Lane at Securosis levels against Visa’s guidance on  Read More →

If you’ve been thinking about using tokenization or truncation to limit the scope of your PCI environment, you need take a few minutes to read the two documents Visa just released, Visa Best Practices: Tokenization and Visa Best Practices for Primary Account Number Storage and Truncation .  Read More →

Rich and Zach are still sweltering in their perspective heat waves, but Martin managed to nab an interview with Bob Russo, the head of the PCI Security Standards Council. We also cover a couple of stories and some honest to goodness listener mail! Network Security Podcast, Episode 205, July 13, 2010 Time:  Read More →

Last week another assessor friend of mine started a new blog, Fear Not the Assessor .  Read More →

Truth can be stranger than fiction sometimes; I’ll be speaking on a panel on compliance with Jack Daniels and Josh Corman at Defcon next month.  Read More →

It can be downright disheartening to be a QSA.  Read More →

I’m a big fan of tokenization and end to end encryption (E2E2).  Read More →

On Twitter this morning, @secrunner made the following comment: “I think it’s surprising that PCI still hasn’t developed a program to certify pen testers or at least standardize the approach” In reply I stated that given the level of certification for ASV’s (Approved Scanning Vendors), I’m just as happy if the PCI Council would stay out of the business of certifying pen testers or creating a standardized approach.  Read More →

Do you remember those old School House Rock commercials from the 70’s?  Read More →

I’d almost forgotten that David Spark ambushed Ben Tomjave, Andrew Storms and me with a video camera on the first day of RSA last week.  Read More →

My friend Alex Hutton and the rest of the RISK Team at Verizon Business have done it again! This time rather than release a report about breaches however, they’ve release the Verizon Incident Sharing Metrics Framework ( VerIS for short ).    All the awesomeness that went into creating the 2009 Verizon Breach Report is being shared with the incident response community so that we can compare apples to apples when it comes to compromises. ... 

This video showing how Hitler would have responded to a breach of his Cloud Computing infrastructure was especially funny to me coming on the tail of sitting in on this week’s Cloud Audit conversation.  Read More →

This one hit’s close to home quite literally; Andrew Storms had some major issues this weekend with how a pizza place close to his house handled his credit card information.  Read More →

PCI ( Payment Card Industry Data Security Standards ) compliance and cloud computing are two great tastes that truly suck when you put them together.  Read More →

(this post is dedicated to all those I have debated – poorly – on twitter and in blogs) I must admit that I do enjoy the experience of a good debate, the adrenaline rush, the give and take with a qualified adversary, the thrill of victory and hopefully the expanse of ones views. So often though many  Read More →