Wednesday, September 21, 2011

Self-Assess Like a QSA?

Just about everyone reading this self-assesses their institution's PCI compliance using one or a set of Self-Assessment Questionnaires (SAQs). This is the PCI Council's -- and the card brands' -- own version of the honor system.

But the very largest Level 1 merchants don't get to use the honor system. Instead they must get an outside assessment, either by a Qualified Security Assessor (QSA, like me) or a member of their own staff who attended training and qualified as an Internal Security Assessor (ISA).

The QSA prepares a Report on Compliance (ROC, pronounced "rock"). This covers all of PCI. Moreover, the QSA needs to see multiple pieces of evidence before she/he can mark a requirement as "in place." The Council has released its updated guidance on just what the QSA does. It could make informative reading. It is now available for everyone to see.

Click here to download a copy of the ROC Reporting Instructions, then see how your own internal self-assessment measures up.

Staying in Touch With Developments

I'm getting ready to head off on vacation for a few weeks, and it has me thinking about staying in touch. I mention this because I probably won't be making many blog posts for a bit, and at the same time there is a lot happening in the PCI world that you want to make sure you stay current.

One way is to set up your Google (or Safari or whatever) reader and load up the RSS feeds for your favorite blogs. That is what I do, and it's great for filtering what you need to see. A great way to start is with the blogroll on the right. These are some of the blogs I follow (or participate in), and I'd add them to whatever list you put together.

Of particular interest might be the StorefrontBacktalk link. While they have gone to a premium pricing model (hey...everybody's got to eat!), I am pleased to announce that my PCI columns shortly will all be "free." There is a lot of other great retail content there, too, so if you have auxiliaries or other retail-like operations on campus, I'd point your RSS feed there.

With so much happening on point-to-point encryption (with the painful acronym P2PE), tokenization, and the reality of PCI 2.0, you should take a few minutes to skim the highlights so you can stay up to date with what's happening.

Over the next few weeks, I'll be relying on my iPad and assorted English, Belgian, and French hotel WiFi links to stay connected. Yes, I'll still be on vacation, but I'll also be staying in touch. You may want to do the same.

Friday, September 2, 2011

Certificate Attacks on Google

Like many of you involved in security, I have been following the recent news about the recent compromise of a Dutch certificate authority (presumably by the government of Iran, but not proven). There was a brief piece earlier in the New York Times (click here). You also can find a great explanation and exposition of exactly what happened and what it means in this blog post.

Yes, the Internet is a very scary place.

Here are some additional articles that shed some more light on the risks and what you need to know:
  • If you read nothing else, please read this post (click here) from my colleague, Morgan Tremper. As he says, "Far and away, the most essential method for staying ahead of threats to your security is fixing the problems that the industry already knows about." A very clever man is our Morgan. What Morgan points out is that there is something you can do to protect yourself, but you (and all your users) have to *do* it!

  • "The disturbingly complete compromise of DigiNotar, the Dutch certificate authority, has broad ramifications for other CAs, enterprises and consumers who rely on the shaky web of trust that comprises the CA system. Here's what you should know about the attack and what you can do to protect yourself against intrusions resulting from it." (Click here to read more) .

  • "The details of the attack on DigiNotar that began to leak out on Monday have gotten uglier by the day as more and more researchers have looked into the compromise and the depth of the problem became clear." (Click here to read more).
Happy reading on this holiday weekend.