Monday, September 8, 2014

PCI and Retailer Breaches

Just a quick thought in the absence of meaningful thoughts on here ...

When Target was breached at the end of 2013 (and every day since then), from the safety of their climate controlled armchairs, pundits have cast judgement on Target.  "Target was negligent." Or maybe "Their PCI QSA wasn't thorough."  Sentiments along those lines ...

Now, here comes The Home Depot's breach.  Same malware.  Same techniques.  Quite possibly orders of magnitude higher in scope than Target (time will tell).  The same ol' drums will beat from smart phones and tablets in living rooms everywhere.

The reality is ... It's very difficult.  Difficult to get security "correct."  And more difficult to keep it in that "correct" state over time.  A single chink in the armor, so the ol' stitch goes ...

For the self-acclaimed pundits who throw rocks in glass houses, consider this: 
Every single Level 1 merchant that has been breached has signed RoCs (Reports on Compliance) signed by both a third party and representatives of the credit card brands.

Now for the realistically jaded perspective: PCI is really just about transferring risk to merchants and away from the card brands.  That's it.  Does it work?  Sure it does, since consumers are still using credit cards at merchants, and the economy hums along.

That is all ...

Wednesday, January 22, 2014

Top Posts Since 2007

It's time to give the blog a little push.  It's been 7 years with spurts of on again off again contributions all over the spectrum of security, from information security and privacy to physical security with smatterings of things like writing code and picking locks ... maybe even a theme of how politics can affect security policy decisions from time to time as well.

Here are some of the top computer/information/application/software security highlights, many of which are top Google search hits as well:

It's been fun.  Here is to 7 more years!