Tuesday, October 14, 2014

Bob Russo: Breached!

There is a brief article that I found on CardNotPresent.com where Bob Russo, outgoing general manager of the PCI Security Standards Council, describes an incident where he was robbed (really burglarized but everyone misuses "robbed" – pet peeves of mine). Bob uses this story to illustrate how PCI-compliant companies are breached.

Before reading my punchline, please read the article: Bob Russo: Breached!

Stop. Go back; you didn't really read it…

Ok, anyone notice something missing from Bob’s story? Immediately following the police investigation the DA (DA playing the part of the card brands) didn’t levy fines for PCI non-compliance. His HOA (HOA playing the part of an acquirer) didn't kick him out for not properly securing the premises. He was not required by various states (cameo appearance, playing the part of themselves) to send out breach notifications to all the contacts stored on his laptop. He didn't make headline news with "Russo Exposes PII!" Lastly, he was not hit with one or more class action lawsuits for the stolen Personally Identifiable Information before the ink had a chance to dry on the police report.

Hmmm… I wonder if my name and email address was contained in his contact list.

Friday, April 11, 2014

Tokenization IS Encryption - NOT! - Part 5 (pre-release teaser)

The saga continues. As PCI SSC continues redefining and clarifying its newly redefined definition of tokenization via the PCI Tokenization Task Force, EMVCo apparently decided they liked the term "tokenization" so unbeknownst to anyone else, a new EMVCo definition was necessary. Last month EMVCo released the EMV Payment Tokenisation Specification v.1. Luckily they misspelled it, probably on purpose, so-as not to confuse EMVCo Tokenisation with PCI Tokenization whereas PCI Tokenization always gets confused with TrueTokenization®.

I find it funny that just like PCI SSC, EMVCo didn't bother to approach the inventors of tokenization during the development of their definition. Hindsight being 20/20, I really wish Shift4 had trademarked the term tokenization prior to releasing the concept to the public domain. At least then we could have better controlled the definition and limited the misuse of the term. Instead we now have everybody and their brother coming forth with their custom definition, complicating and confusing a concept that was designed to be simple, easy to explain and secure. Anyway, I'm currently reading and analyzing the EMVCo document. Stay tuned for a detailed report…

Friday, January 10, 2014

The Economics Of EMV

A fellow blogger PCI Guru created an informative post on his blog explaining some of the reasons why EMV adoption is so slow in the US:
If you have any comments on the post, feel free to post them on his site -- I won't be offended.