New Role – AT&T Consulting PCI Practice Lead! January 4, 2013
Posted by Chris Mark in Uncategorized.Tags: AT&T, Chris Mark, Consulting, credit card, PCI DSS, QSA, security
add a comment
I am proud to announce that as of January 3, 2013 I have accepted and started a new position with AT&T Consulting. I am the new PCI Practice Lead directing the PCI DSS auditing and consulting efforts within AT&T. I am excited to work with the most experienced, professional PCI DSS experts and QSAs in the industry. I have had frequent opportunity to interact with the AT&T PCI team over the years and have been consistently impressed with their technical expertise and professionalism. Their industry leading services are testament to the quality of the team and the leadership that preceded me in this role. Please feel free to contact me if you have any PCI DSS needs!
Chris Mark in Jan 2013 TransactionWorld: “Only Certainies are Death, Taxes, and PCI DSS.” January 2, 2013
Posted by Chris Mark in Uncategorized.Tags: Chris Mark, data breach, Heather Mark, InfoSec, mastercard, PCI DSS, security, transactionworld, TSYS, visa
add a comment
Chris Mark (this guy with two thumbs) is in the January 2013 edition of TransactionWorld Magazine. You can read my article titled: “In 2013 the only certainties are Death, Taxes, and the PCI DSS” in which I opine about the need for PCI DSS and other security standards as we enter 2013. The bio on the article is not accurate and still references an old position I had at ProPay. That being said, ProPay is a great company for which I was fortunate and proud to have worked, a company at which my illustrious wife, Dr. Heather Mark still works, and a company who deserve a big Congrats for being acquired by TSYS!..all in all…no harm, no foul.
Chris in October 2012 Issue of PenTest Magazine October 30, 2012
Posted by Chris Mark in Uncategorized.Tags: Chris Mark, credit card, mark consulting group, mastercard, PCI, PCI DSS, penetration testing, pentest, security, visa
add a comment
Check out the October 2012 issue of PenTest Magazine for tons of valuable information on the PCI DSS and how Pen Testing can be used to support compliance and validation. I have an article in the magazine titled: “Introduction to PCI DSS for the PenTester” You need to register as a user or subscribe to access the articles.
“Boo!” – October 2012 issue of TransactionWorld October 30, 2012
Posted by Chris Mark in Uncategorized.Tags: Chris Mark, Dr. Heather Mark, economics, PCI DSS, risk management, security, transactionworld
add a comment
I (Chris) am finally back in the US after traveling for the past two months. If you haven’t had a chance yet, please check out October’s issue of TransactionWorld and read articles by Chris Mark (Security Economics) and Heather Mark (Portable Security). If you don’t subscribe to TW, you should check it out. Everything you could want to know about payments. (well..not everything but quite a bit).
EMV: Payment Security Endzone? September 29, 2012
Posted by Heather Mark in Industry News, PCI DSS.Tags: 2010 Outback Bowl, Chip & PIN, College Gameday, Dr. Heather Mark, EMV, mark consulting group, PCI DSS, Western States Acquiring Association
1 comment so far
As I’m buckling down for another fun-filled day of college football, I’m drawn to compare the GameDay set to some of the panels I’ve recently seen. As Kirk, Lee, and the gang try to determine the best strategies for each team in their respective games, I think about my colleagues and myself sitting at the panel tables, trying to envision the best way to secure payment (and other sensitive) data without crushing our bottom lines. Okay – maybe it’s a bit of a stretch, but I needed a way to work college football into a post. Mission accomplished.
On a more serious note, though, I recently attended the Western States Acquiring Association conference in Huntington Beach. It was well-attended and had a number of interesting sessions. Not surprisingly, much of the talk centered around EMV, of Chip & PIN. Some wondered whether EMV meant the end of PCI DSS. Well, the answer to that question is a resounding “no.” The PCI SSC has already been adamant about the fact that the PCI DSS remains relevant, even in the face of advancing security technologies. (Insert your own commentary here.) In fact, there is legitimacy in the argument that is put forth here. Simply adding additional layers of authentication doesn’t change the type of data that is collected. In many cases, as we’ve seen with international adoption of the standard, it simply chases the fraud to other milieus – whether different geographic regions or different acceptance channels.
Additionally, we’ve seen evidence that Chip & PIN may not be as secure as we’d thought. Brian Krebs recently wrote an article highlighting research on a security flaw in the EMV technology. Supposition has it that thieves have been “quietly exploiting” this flaw to “skim” the data. That’s not to say that EMV is useless, but it’s not the exactly the impenetrable defense that some have made it out to be. Even the best defensive line sometimes gives up the big play.
So – to the question in the title – does EMV represent the winning score? My thought is that payment security is more like the 2010 Outback Bowl between Auburn and Northwestern. After a back and forth game that ended regulation play tied, the teams went on for five overtime periods that finally ended only when Auburn managed to wear their opponent down just shy of the goal-line. It was a long, brutal game and you really couldn’t tell who was going to win. You just gotta keep putting your best players on the field and keep those trick plays coming.
What do you think of EMV? Touchdown, fumble, or forward progress?
Global Security, Privacy, & Risk Management 