Monday, February 27, 2012

Get Your Comments In -- PCI Feedback Period Ends Soon

I want to remind everyone that the PCI Feedback period concludes in March. If you have comments on any of the requirements in PCI v 2.0, if you would like clarification on any requirement, or if there are changes you would like to see, please get your comments to me either via a comment on this blog or email to me ( or Tom Davis (

NACUBO is a Participating Organization, and it is in every Higher Education institution's interest to have your voice heard.

Give it a thought, and get back to either of us. We look forward to hearing from you.

Friday, February 24, 2012

Drink Water

Going to RSA?

If you don't understand the question, then you don't realize this is Security Woodstock...I think I just dated myself. Security geeks from around the planet gather for one week in San Francisco. Oh yes...along with every vendor in this space, most of which are sponsoring parties and alcohol-fueled gatherings...all of which I do my best to skip. Well, most of them, anyway.

If you will be there, let me know and let's meet up. Also, whether you want to see my smiling face or not, see this for a guide and guidance.

And to everyone else, if you wonder why I'm not responding to emails or phone calls, now you know!

Thursday, February 23, 2012

Physical Security Matters, Too

I have a couple of very nice brief cases that I've collected over the years. There is the Coach one I sometimes use, and the rather nice (!) Ferragamo one I bought in London that always gets compliments, and the standby LandsEnd (actually, about the third as the others wore out or died happy deaths of very old age). But I find these days with airplanes that resemble third-world busses and my need to carry my laptop and assorted toys, that I'm using my backpack while the beautiful briefcases gather dust.

Good thing.

If you don't believe me, read this description of a "security breach" in Paris. Seems the guy had sensitive papers in his briefcase, and got distracted in a train station. The result is the bad guys got away with his company's papers.

I wonder if they just wanted the (high end) briefcase?

My backpack is looking better and least I don't set it down either while buying train tickets or rescuing damsels in distress. Oh yes, it's encrypted, too.

Your Service Provider Contracts

I have long been a bit of a stickler on managing your PCI service providers. Many of you, my clients, know that. In particular, I truly believe that PCI Requirement 12.8 is your friend. Now I have company...the Federal Trade Commission, of all people.

For those of you who are not familiar with each PCI requirement, 12.8 and its four subsections address how you manage your PCI service providers. Service providers are organizations who either store, process, or transmit cardholder data for you or who can affect the security of your transaction (e.g., managed services providers).

In particular, PCI Requirement 12.8.2 stipulates that you have "a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess." That bit about being "responsible for the security of cardholder data" is the important part as the FTC found out in its own way.

You may have heard that the group called Anonymous hacked the FTC's computers recently. According to this article in Dark Reading,

The sites in question were developed by public relations firm Fleishman-Hilliard, which hosted the sites on resources provided by hosting and cloud services provider Media Temple. The two firms are currently duking it out in a very public finger-pointing spat reported by Ars Technica, which also brought to light the fact that the $1.5 million contract to develop the sites initially included security provisions during the acquisition process but then dropped those requirements. [emphasis added]
I'll let you read the entire article, but the lesson is that you don't want something like that to happen to your school's ecommerce or other hosted sites. PCI 12.8 was put there to protect you, and you want to be sure to follow it. And above all, don't negotiate-out any security provisions or guarantees.

You also might want to include PCI compliance language in all your contracts for third party merchants on campus like bookstores, food service, craft fairs, the circus (really!) or other entertainment providers. It's your institution's brand that is at risk, and as I've said before, PCI is your friend.

Friday, February 17, 2012

PCI at EDUCAUSE Security Professionals Conference

PCI will feature prominently when EDUCAUSE holds its 2012 Security Professionals Conference in Indianapolis May 15-17. This is a fantastic gathering of Higher Ed security professionals from around the country. I am pleased (and honored!) to say that I will participate again this year, presenting what I hope will be a very informative and current topic: How Tokenization and Point-to-Point Encryption Can Reduce Your School's PCI Scope. This will be a 3-hour exploration of these technologies and how they might apply.

If you or someone from your institution is attending, please have them consider signing up for this session. When I presented last year, we had a packed room with a great audience who had lots of questions. I am looking forward to the same experience this year.

Another PCI-related session is Seminar 01-A is Navigating the PCI Jungle by Tammy Clark, CISO at Georga State. It will deliver a "common-sense approach to developing a cost-effective and efficient PCI compliance review program at your institution." This seminar is in the morning, while mine is in the afternoon so there is no conflict if anyone wants to overdose on PCI the whole day. Actually, the two are complementary. (Don't tell anyone, but I am planning to try and sneak in to this one, and see what I can learn.)

I look forward to seeing some of you at EDUCAUSE in May.