There's a good rant at informationweek on PCI. "The Heartland Payment Systems breach demonstrates that PCI is bunk. Unfortunately, unless something better comes along, bunk is better than nothing. The PCI compliance program is like a Zen koan: it's a proposition that can't be understood rationally. Unlike a koan, however, pondering on...
"Today, June 30, marks the start of new revisions on the PCI DSS specs. Section 6.6 is now required, specifically companies who deal with credit or debit cards online must use an application layer firewall or have a complete website audit code review to remain PCI compliant. With all the stolen and...
"On June 30, another refresh of the Payment Card Industry (PCI) Data Security Standards (PCI DSS) will upgrade Web application security testing from a best practice to a mandatory practice. The deadline forces merchants and vendors to take a closer look at application-layer security and emphasizes its importance in fighting increasing online...
Michelle Davidson writes "SearchSoftwareQuality.com recently posted an article on clarifications made to requirement 6.6 of the PCI Data Security Standard and explains the options companies have to comply with it. Jeremiah Grossman and other app sec experts were interviewed for the article . Below is the information." I don't usually link to...
"Using a combination of fines and incentives the payment card brands have working hard to boost PCI-DSS compliance rates among merchants. Meanwhile, ASVs have been doing their part by offering their services at drastically reduced prices and curtailing the security checklist to make certification as easy as possible. Every merchant who signs...
"TJX’s failure to upgrade its encryption system allowed the electronic eavesdropping beginning in July 2005 and continuing for a year and a half, the report says. At least 45 million credit and debit cards were exposed to potential fraud, according to an Associated Press story" Article Link: http://www.itbusinessedge.com/blogs/hdw/?p=945
"Software testing generally falls under the purview of the quality assurance (QA) test team. The problem is that QA testers test the products for compliance with its functional requirements and specifications. Put another way, they test how the software works, not how someone can break or misuse software for illicit purposes. To...
Jeremiah Grossman has a post asking the question 'what if PCI-DSS requires CSRF protection?'. Short answer, just about everybody is vulnerable (more than XSS) and making people be compliant to it is going to be almost unrealistic. Article Link: http://jeremiahgrossman.blogspot.com/2007/03/big-trouble-if-pci-dss-requires-csrf.html
"Regulation is a boon to security. Without the government and other private organizations leading security around by its nose, we would be eternally trapped in the "just strap another pizza box into the rack" solutions offered by clueless vendors. There were zillions of them at RSA this year. One problem is that...
