Upcoming PCI Deadlines
alt 

A number of deadlines are coming up next year. Are you ready? Don't be caught unaware. 
 
Payment Application Data Security Standard (PA DSS) and the PIN Entry Device standard (PED) support the PCI DSS and address security of applications and hardware used to process payment card transactions.
 
“PA-DSS is the Council-managed program formerly under the supervision of the Visa Inc. program known as the Payment Application Best Practices (PABP). The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS.” - Payment Card Industry Security Standards Council
 
“The PCI PED security alignment initiative is aimed at ensuring that the cardholder’s PIN, and any sensitive information such as resident keys, are protected consistently at a PIN acceptance device. The objective of the requirements is the provision of a single, consistent, and stringent standard for all PIN acceptance devices worldwide”. - Payment Card Industry Security Standards Council
 
These supporting standards are aimed at vendors who are creating applications and hardware devices used in the processing of payment cards. Merchants should be aware of these standards and purchase applications and hardware devices that are compliant with these standards. At this time, Merchants will be required to use only compliant applications and hardware by July 2010.
 
What do you need to do? Determine if you applications and PIN entry devices are PCI compliant. If not plan to replace them as soon as possible. Don't wait until the last minute on this one.
 
How do you find out which ones are PCI compliant?
 
List of Validated Payment Applications:
List of PIN Entry Devices:
 
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
Pandemic Disease and Business Continuity
alt 
 
When planning a business continuity plan for an organization it is vitally important to remember the human element of the equation. It is not enough to have servers and data back up and online if there are not people to use it. Most IT departments focus on the loss of a system, application, data, location or power. What if the loss was in personnel due to a pandemic flu or virus?
 
With the H1-N1 virus spreading like wild fire and the Mexican government asking people to stay home for 5 days to slow or stop the spread of the virus, what are businesses going to do for continuity? What are you doing to prepare for a pandemic outbreak?
 
Technology may have an answer for us. Many tasks can be completed by employees working remotely. They can work from home so as not to catch or spread the virus. In order to do this we need to have a remote work from home policy. Obviously, not every job can be performed remotely, but for those that can they should be considered for remote connectivity.
 
A remote worker policy may have side benefits to the environment by reduce pollution. If employees can work from home they avoid the pollution created from commuting to work. A green solution is not a bad side benefit.
 
What are the down sides? Security risks due to remote home computers connecting to the organization's network. There are a number of ways in which to reduce the risk of allowing remote connections. Another issue is the potential liability brought onto the organization by employees being hurt at home. Because home becomes a part of the work area injuries in the home may result in workers compensation claims and safety violations. I think this risk can be mitigated with a simple hold harmless or home worker policy. It would be advisable to have an attorney draft such a policy or working from home agreement.
 
Giving people the ability to work from home, in a secure manner, may have benefits beyond pandemics. How often does the common cold sweep through organizations? Today it was reported that if people have flu symptoms they should stay home to keep any flu from spreading. By allowing employees to work from home while they have mild symptoms helps the business not lose man hours.
 
Remote home connectivity should be considered before an outbreak of pandemic proportions.
 
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
Security Awareness for the Home User
alt

The National Cyber Security Alliance will start a new cyber security program targeting k-12 kids. It will be a nationwide volunteer program with Department of Homeland Security and top Tech Companies as sponsors. 
 
It is no surprise that 79% of teenagers are not careful about the personal information they put on the Internet. On top of that only 3% of school curriculum includes privacy and security for chat rooms and social networking sites.
 
This type of much needed program is nothing new. A few security professionals (me included), the Walnut Creek chamber of commerce and tech companies started a similar program called ThinkSecurityFirst. The idea of that program was to educate home users and children about the dangers of the Internet. It was like creating a security awareness program for the entire community. Or another way to look at it is like a cyber neighborhood watch program.
 
We can learn from programs like this. The greatest risk to corporate and government computer systems is from the unprotected home computers. Most attacks on those systems come from infected home computers. Not only that, identity theft is a problem. The key is to educate home user. With more secure home users there are less zombie computers attacking corporate and government sites. Not to mention most of the spam comes from infected home computers.
 
For corporate security awareness we need to focus security in the home as well. When presenting security awareness topics it is useful to make the topic as relevant as possible for the learner. By focusing on how they can be safe online at home they will be more likely to take the message to heart. They will be safer at home, reducing potential attacks to organizations and it will make them a safer (at least more aware) citizen at work.
 
Here are some useful links:
 
Donald E. Hester
CISSP, CISA, CAP, PSP, MCT, MCITP, MCSE Security, MCSA Security, MCTS, MCDST, Security+, CTT+, MV
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
More Articles...
<< Start < Prev 1 2 3 4 Next > End >>

Page 4 of 4

Subscribe To Feed

Subscribe to LearnSecurity Blog using your favorite feed reader by clicking here.


Donald Hester Bio


Click here to read Donald Hester's bio.


Facebook

Click here to subscribe to the LearnSecurity Facebook Group.



Latest News

Stay up-to-date with Don's LearnSecurity.org Blog. Chucked full with Security information, news, reviews and resources. This blog is available via RSS feed.
Copyright © 2010 Maze & Associates. Designed by Purple Cow Websites.