-
Apr 25, 2010
We in the data protection industry are almost becoming immune to data breach alerts involving retailers and financial institutions. The alerts are not only frequent but expected. But when a recent alert from The Wall Street Journal flashed across my desktop “. . . Hotels are #1 Sector for Credit Card Data Breaches”, I must admit I was caught a bit off guard. I knew data breach incidents were growing in the overall hospitality industry, but #1?
Read full post >
-
Apr 20, 2010
Unless you live under a rock somewhere you’ve heard some hype about SaaS and cloud services as alternative deployment models for accessing technology. Certain business processes and applications have experienced early adoption by users; this seems to happen where processes can be clearly defined and where data dependencies are very low. On the other hand, some applications just aren’t ready for this type of deployment. Or are they?
Read full post >
-
Mar 31, 2010
When was the last time a colleague said “You’ve got to see this!” about an enterprise application? In consumer-facing applications it happens all the time – Google- and Facebook-like companies produce the best UI innovations that quickly become standard practice.
Read full post >
-
Mar 29, 2010
I’m writing to you from the banks of the Thames River, where data controllers are on high alert. Why? It’s countdown time to April 6th.
Read full post >
-
Feb 24, 2010
Yes, indeed. Just six weeks into the year, and the Payment Card Industry Security Standards Council (PCI SSC) has issued three clarifications regarding the storage of cardholder data on digital audio recordings. Now the PCI SSC has formally clarified that storing payment card data in digital call records is forbidden.
Read full post >
-
Feb 16, 2010
The Payment Card Industry’s Security Standards Council issued a clarification about audio recordings on January 22, 2010 noting that card validation codes and values must not be stored under usual circumstances to be considered PCI DSS compliant. PANs in the recording, of course, must be encrypted following the current standards as well.
Read full post >
-
Feb 08, 2010
Data Loss Protection or Data Leak Prevention (DLP) applications are often used to discover credit card and other personally identifiable information in enterprises. If you don’t know where sensitive data exists, how can you protect it?
Read full post >
-
Jan 20, 2010
CIOs everywhere are being told by the business that they need to share more data, both internally and with business partners. And then they are being told to secure more data to limit its use to only authorized users.
Read full post >
-
Dec 14, 2009
We’ve had a close eye on D.C., as two retooled data breach notification bills have been wending their way through Congress. While we had our eye off the ball recently (guess we were lulled into thinking this newest round of legislation would go the way of the past several bills), on December 9th the House of Representatives passed, for the first time ever, a data breach notification bill. While that’s great news, we’re wondering that if the bill makes it through the Senate and becomes the law of the land, will it replace the patchwork of state laws – 45 as of today – that exist? Right now, breach alert mandates are handled at the state level. Will this legislation rationalize data protection legislation across the US? Doubtful, but more realistically it will provide a consistent baseline from which states, and companies looking to comply with data protection notification laws, can use as a starting point.
Read full post >
-
Nov 11, 2009
The Metro Atlanta ISSA hosted its 5th annual information security conference on Veteran’s Day, November 11th, with the theme of "Magnify Your Security." It was great to see they took time out in the opening session to recognize the dozen or so Veterans among the attendees. Thanks to all of you have served and do serve our country!
Read full post >
-
Sep 25, 2009
Onsite in Las Vegas – The Payment Card Industry’s Security Standards Council (PCI SSC) is on a 24-month cycle of reviewing and editing the PCI Data Security Standard (PCI DSS). Version 1.2 was issued in October 2008 and the next major release is expected around the same time in 2010. While last years’ theme seemed to be around “Compliance does not equal security” and “Network Segmentation”, this year’s theme was very much about submitting feedback on the current standard and reviewing new technologies for reducing the scope (and burden) for initial and ongoing PCI DSS compliance.
Read full post >
-
Sep 16, 2009
While you can attend a conference any week or weekend throughout the year, most of us can’t afford the time away from the office, even when we’re on the vendor side of the business equation like I am. And given summer is a time when many people travel, it turns out that March through June and September through December are prime times for the “conference tours.” Surely not as glorious as a “band tour,” but exciting nonetheless. For me it’s an opportunity to meet customers, prospects, business partners and other people I’ve connected with during the year who I may have or have never met. And for them, the same – an opportunity to put a face with the name.
Read full post >
-
Aug 20, 2009
That just may be the tip of the iceberg as the details of this latest cybercrime unravel.
On Tuesday, Albert Gonzalez and two others were indicted on charges of stealing more than 130 million payment card numbers, the largest hacking and identity theft case ever prosecuted in the U.S. Ironically, he is accused of breaching several retailer’s networks, which were already compliant with the Payment Card Industry’s Data Security Standard (PCI DSS) – a set of comprehensive requirements put into place in 2006 by American Express, MasterCard, Visa and other credit card companies to force businesses to better protect credit and debit card information from thefts like those committed by Gonzalez and other hackers over the years.
Read full post >
-
Jun 19, 2009
The ISSA-UK Chapter meeting was held last Thursday evening at the London offices of KPMG and attended by about 60 information security professionals. There were three speakers covering an update from the Information Commissioner Office, the legal aspects of data security and how to reduce the scope of PCI DSS compliance using tokenization - the last one given by yours truly.
Read full post >
-
Jun 18, 2009
London’s a great city and the London Underground subway - the “Tube” - makes it so easy to get around – except when the Tube workers decide to go on strike. That’s exactly what happened last week - Tuesday through Thursday night. Expecting the worst in turnout of attendees for the Corporate IT Forum's Information Security Service’s PCI DSS Conference on Wednesday it was hardly that – the venue was packed with lots of business and information security professionals with a thirst to network and learn how to comply with the Payment Card Industry’s Data Security Standard (PCI DSS).
Read full post >
-
Jun 18, 2009
Another week, another Gartner conference. Last week I attended Gartner’s Application Architecture, Development & Integration Summit 2008 and it can be summed up as ‘buzz words a plenty!’ Some of the favorites included cloud (variously referred to as ‘the cloud,’ ‘cloud services,’ ‘cloud computing’ and ‘in the cloud’), Software as a Service (SaaS) and Service Oriented Architecture (SOA) -- among others. Gone from this year’s presentation titles were EAI, middleware and WOA.
Read full post >
-
May 28, 2009
Gone are the days when hackers broke into companies as a challenge to themselves to prove they can do it. More fashionable in recent years has been to steal credit card and other personally identifiable information (PII) so that it could be resold on the black-market. And now for the next wave, stealing the data so that it can be resold or ransomed back to the rightful owners!
As Dan Kaplan of SC Magazine reported on May 5th, “Hackers seek payment after break-in on state health care site.” Ccyber-thieves did just that demanding $10 million to return patient data to Virginia’s Department of Health.
Read full post >
-
May 07, 2009
The whirlwind global launch of nuBridges Protect™ Token Manager didn’t slow down after InfoSec. It just moved around the European continent!
Read full post >
-
Apr 29, 2009
I send you greetings from the UK. At least I think that’s where I am! With just 24 hours at home between the RSA Conference in San Francisco and InfoSecurity Europe in London, I’m not sure what time zone I’m in -- PST, EST, GMT! All kidding aside, yesterday’s InfoSecurity Europe 2009 kickoff was great. Whilst (that’s how they say it here) the conference is not as big as RSA, there’s a lot more glitz and glamour in the exhibition hall - game shows, in-booth bars and any number of costumed people to get folks to stop by their booths.
Read full post >
-
Apr 24, 2009
I check out of my hotel early this Friday morning and am now on an airplane headed home from the RSA Conference 2009. It was nice that I could simply leave the hotel without checking out since they are going to simply just charge the bill to my credit card. I’m hoping that my credit card number has been stored at the hotel in an encrypted state since I gave it to them on Monday.
Read full post >