Wednesday, November 30, 2016

Computer Security Day

It's been a long while since I posted here. Time is flying by. A colleague at work sent the following security PSA to all Shift4 employees and he was gracious enough to let me re-post here for the world. Good info...

Computer Security Day is observed annually on November 30.

Identity theft, credit card fraud, ransomware, and more endanger our online experiences every day.

History of Computer Security Day
Computer Security Day began in 1988, around the time when computers were becoming commonplace in business and government and in the home…when they no longer cost $10,000.  The Internet, as we know it today, was also an infant.  While hacking and computer viruses have been around since the early days, evolving and increasingly sophisticated malicious technologies will continue to be a threat to online computer activities forever.  Computer security had already become a major concern by the end of the 80s so Computer Security Day was created to educate users and raise awareness.

Here is a checklist you can follow to help secure your computer at work and at home:
·         A password is required to access my computer.
·         Windows Update is enabled.
·         I use antivirus software and make sure it is updated daily.
·         My Windows Firewall is on.
·         I keep my computer applications patched up to date.
·         I remove unused computer applications.
·         I always use strong passwords.
·         I don’t share or write down passwords.
·         I log off my computer when I’m not using it.
·         My home wireless network is secured with a strong password and strong encryption.
·         I regularly backup my important data to an offline device.
·         I use caution when I browse the Internet.
·         I suspect foul play when my browser is redirected to another web site.
·         I don’t allow my web browser to store or remember my passwords.
·         I regularly delete temporary Internet files.
·         I don’t open attachments or click on links in email from people I don’t know.
·         I make online purchases only on well known, reputable web sites.
·         I look for “https” in the address bar before submitting personal and payment information.
·         I don’t save my credit card information on web sites.
·         I don’t use my debit card online.
·         I don’t use the same password for all online services.


Secure Payment Processing


Stephen Ames, CISA, CISSP
Senior Director, Security Compliance

Shift4 Corporation
1491 Center Crossing Road
Las Vegas, NV 89144-7047
702.597.2480 ext. 46700
fax 702.597.2499

"In the pursuit of security assume nothing." -sga

Thursday, June 18, 2015

Why All QSAs Must Lie

A fellow blogger referred me to yet another blogger's post "Why All QSAs Must Lie". While the title sounds like a QSA bash piece, it definitely grabs attention and the post is definitely not a dump and QSAs and is worth the time to read.

On another note, I'll start writing again soon. I have several ideas but time has been hard to come by of late. Until next time...

Tuesday, October 14, 2014

Bob Russo: Breached!

There is a brief article that I found on where Bob Russo, outgoing general manager of the PCI Security Standards Council, describes an incident where he was robbed (really burglarized but everyone misuses "robbed" – pet peeves of mine). Bob uses this story to illustrate how PCI-compliant companies are breached.

Before reading my punchline, please read the article: Bob Russo: Breached!

Stop. Go back; you didn't really read it…

Ok, anyone notice something missing from Bob’s story? Immediately following the police investigation the DA (DA playing the part of the card brands) didn’t levy fines for PCI non-compliance. His HOA (HOA playing the part of an acquirer) didn't kick him out for not properly securing the premises. He was not required by various states (cameo appearance, playing the part of themselves) to send out breach notifications to all the contacts stored on his laptop. He didn't make headline news with "Russo Exposes PII!" Lastly, he was not hit with one or more class action lawsuits for the stolen Personally Identifiable Information before the ink had a chance to dry on the police report.

Hmmm… I wonder if my name and email address was contained in his contact list.

Friday, April 11, 2014

Tokenization IS Encryption - NOT! - Part 5 (pre-release teaser)

The saga continues. As PCI SSC continues redefining and clarifying its newly redefined definition of tokenization via the PCI Tokenization Task Force, EMVCo apparently decided they liked the term "tokenization" so unbeknownst to anyone else, a new EMVCo definition was necessary. Last month EMVCo released the EMV Payment Tokenisation Specification v.1. Luckily they misspelled it, probably on purpose, so-as not to confuse EMVCo Tokenisation with PCI Tokenization whereas PCI Tokenization always gets confused with TrueTokenization®.

I find it funny that just like PCI SSC, EMVCo didn't bother to approach the inventors of tokenization during the development of their definition. Hindsight being 20/20, I really wish Shift4 had trademarked the term tokenization prior to releasing the concept to the public domain. At least then we could have better controlled the definition and limited the misuse of the term. Instead we now have everybody and their brother coming forth with their custom definition, complicating and confusing a concept that was designed to be simple, easy to explain and secure. Anyway, I'm currently reading and analyzing the EMVCo document. Stay tuned for a detailed report…

Friday, January 10, 2014

The Economics Of EMV

A fellow blogger PCI Guru created an informative post on his blog explaining some of the reasons why EMV adoption is so slow in the US:
If you have any comments on the post, feel free to post them on his site -- I won't be offended.

Friday, December 27, 2013

Earth to Media, Earth to Media, Come in Media…

Target breached, and EMV would have done nothing to prevent it. Period! I realize there are a lot of EMV fans out there stating differently, but please reference people that really know EMV -- its advantages and its limitations -- before releasing propaganda pieces painting EMV as the silver bullet it is not and calling it news.

What EMV cannot do: EMV does not protect the PAN, expiration dates, CVV2 or even PINs in anyway. While information as to whether or not PINs were stolen in the Target breach is sketchy, all the other information was stolen and EMV does not protect any of this.

What EMV can do: EMV is very good at preventing the stolen information from being used to create forged cards to be used for card-present (swiped) purchases, but if history repeats itself, the stolen information will primarily be used for card-not-present (ecommerce) purchases. Until EMV and/or the card brands address card-not-present purchases, EMV is nothing more than a one legged stool.

Wednesday, December 18, 2013

EMV Rumblings

For anyone researching EMV, I wanted to share some links to some EMV discussions I think are useful. These discussions go beyond the standard EMV talking points that the card brands and various EMV card and hardware vendors are promoting.

  1. Shift4 Blog: Executive Insight: EMV is Coming – Gradually
  2. PCI Guru Blog: Why the continued push for EMV?