jump to navigation

COMTEC 2012 – Chris Mark Training on PCI & Payment Card Security July 6, 2012

Posted by Chris Mark in Industry News, Uncategorized.
Tags: , , , , , ,
add a comment

2012 is the year for COMTEC once again and the fine folks at TouchNet have invited me to conduct a training on Payment Card Security & PCI DSS at their October COMTEC event.  COMTEC is a great event for TouchNet’s clients.  The name comes from Commerce and Technology..  The session will be titled:

PCI Training: Full Cycle Compliance – Crisis – Recovery

“During this unique pre-conference workshop, you’ll investigate the full spectrum of PCI compliance and readiness. Attendees will better understand everything PCI, from the basics of PCI compliance to planning for the real-world impact of a breach and what to do in its aftermath.”

It is always positive to see that in 2012 there are still organizations that are taking a leadership role to educate their own customers on the importance of information security.

“This is the American Express Fraud Department” – Two Dozen Carders Arrested on 4 Continents June 26, 2012

Posted by Chris Mark in cybersecurity, Industry News.
Tags: , , , , , , , , , ,
1 comment so far

Lnight my wife received an email about a suspcious transaction on our Amex card.  Turns out it was a fraudulent transaction and my wife’s card had been stolen.  I was writing a blog post on this very subject when a Google alert informs me of this article on Foxnews.  “Two Dozen Arrested in Online Financial Fraud Sting”.  According to the article:  “Two dozen people on four continents have been arrested in an elaborate sting  targeting a black market for online financial fraud, federal officials in New  York said Tuesday.

U.S. officials called the crackdown in United States, Europe, Asia and  Australia the largest enforcement effort ever against hackers who steal credit  card, bank and other information on the Internet — a practice known as  “carding.”   The officials claimed the two-year FBI sting protected more than 400,000  potential victims and prevented losses of around $205 million.”

On that note, I recommend that you take a look at the book “Fatal System Error”…gives very good insight into the underworld of Carding.

Collective Security & the Payment System June 11, 2012

Posted by Heather Mark in Laws and Leglslation, PCI DSS, Politics.
Tags: , , , , , , , ,
1 comment so far

I recently attended an event focused on payment security and fraud prevention.  It was an outstanding event and the presentations and panels were incredibly valuable – not something that I frequently say about payment security events these days.  However, one term came up a couple of times that got me thinking.  That term was “collective security.”  As many of you know, I have a background in public policy and my dissertation was, in fact, on US foreign policy and our strategic interests abroad, so the mention of collective security set off my poli sci radar.  But I wondered if collective security was really an appropriate phrase for what we’re doing in the payments industry.  To address that question, it is necessary to first define collective security in its traditional sense.

Collective security was first formally introduced by the Peace of Westphalia in 1648, a series of treaties that put an end to a number of wars that had been plaguing Europe.    Very simply put, collective security is an arrangement in which all stakeholders agree that their security depends upon the security of each of the other stakeholders.  (more…)

“Blaming the Victim and the PCI DSS is…Passe”- PCI DSS; GlobalPayments & Data Theft April 1, 2012

Posted by Chris Mark in Data Breach, Industry News, InfoSec & Privacy, PCI DSS, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

In an effort beat the “PCI Evangelists”; “wagon jumpers”, “naysayers”, and “PCI Haters” to the punch, I am publishing my post on a Sunday evening.  By tomorrow morning the speculation on how the GlobalPayments compromise occurred will be in full swing and no doubt, many will have already condemned the company for “PCI DSS non compliance” or being “sick, lame, or lazy” when it comes to their PCI DSS compliance or information security.  Others will have published articles condemning the PCI DSS as ‘ineffective’, ‘irrelevant’, or simply ‘stupid’.

Before they are condemned I want to go on record and say it NOT a PCI DSS compliance issue that caused the compromise. Like Heartland Payment Systems, Royal Bank of Scotland Worldpay and many more before them, GlobalPayments has been held out as the paragon of PCI DSS compliance for years.  Now that they have been breached they will be expected to wear a scarlet letter for the foreseeable future. I have no doubt that by the end of next week their status as a “Level 1 PCI DSS Compliant Service Provider”  will have either been revoked by the card brands or be under “review”.In the same vein, there will be many who shout from the rooftops that the PCI DSS is “irrelevant”, “outdated” and so on.  Neither of these positions are accurate.

Here it goes…(drum roll please)…

The PCI DSS is a solid set of information security controls and represents minimum necessary controls to minimize the likelihood of data compromise through common, identified vulnerabilities. (more…)

Roque Wave; Secure Payments Article January 11, 2012

Posted by Chris Mark in InfoSec & Privacy, Laws and Leglslation.
Tags: , , , , , , , , , ,
add a comment

This is an excerpt from an article I wrote a couple of years ago called “The Rogue Wave”.  It discusses a high level overview of Doctrine, Tactics and Strategy and applying PCI DSS as doctrine…You can read the full article here.

“Recent data compromises have continued to illustrate the challenges of securing data in an increasingly hostile environment.  Companies are faced with securing and protecting their valuable information form a growing number of increasingly sophisticated and organized groups determined to steal valuable data.  Historically, the response to data compromises has been to pass and enforce increasingly strict standards, regulations, and laws detailing the specific steps companies must take to protect data and the required disclosure should data be compromised.  Those companies that are the unfortunate victims of data thieves are criticized and vilified for “losing data”.  In spite of the efforts being focused upon compliance with the various laws and standards, data compromises continue in their steep upward trend seemingly unabated…”