Posts by Tim Holman
RSA Conference Europe 2010
Fresh back from the conference, an interesting few days, but still came back with the feeling that I was trying to be sold something. Not a problem if I’m brave enough to head to Infosec 2011 as that’s what you’d expect, but where some people would have paid £975 for a conference ticket I’m not [...]
Read more
End to end encryption – the panacea for payment security or just another commodity?
We’re all hearing a lot about end to end encryption as a security solution for the payments industry at the moment. The message that’s been pushed out is that merchants all need to change their PEDs and introduce more recent, encryption-capable models, so that as soon as card details hit the PED, the PED encrypts [...]
Read more
Hosted Payment Pages and Merchant Spear Phishing
According to Visa, there have now been a significant number of successful attacks against merchants whom use hosted payment pages. A hosted payment page is one that you can embed in your website, but directs all Customer transaction details to a third party – think Datacash, Cybersource et al. Hosted payment pages offer two distinct [...]
Read more
PCI DSS 2.0 has landed
I’m sure most of you would have already seen this, namely a document that summarises the upcoming changes to PCI DSS and what’s going to be in Version 2.0: https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf Official pre-release with Participating Organizations will happen early September, with release to Merchants, Service Providers and QSAs at the end of October. Yes, that’s right. [...]
Read more
Visa CodeSure has landed
Visa CodeSure has hit the market. These are cards with built in alpha-numeric displays that allow one-time passcodes to be used in conjunction with a PIN to secure online transactions: http://www.visaeurope.com/en/newsroom/news/articles/2010/visa_codesure_gets_green_light.aspx The first challenge must be replacing the 1.4bn Visa cards already out there, the second being – will it really work and how long [...]
Read more
Online Banking Security – a step too far??
I was setting up an online banking account with Sainsbury’s earlier, and was asked to complete a number of ‘secret questions’ to which ‘only I know the answer to’. One of the questions was ‘what’s the name of your favourite singer?’. Am I missing something, but isn’t this a pretty silly question to ask, bearing [...]
Read more
Infosec 2010
Even if you bought every product on sale at Infosec this year, your data still wouldn’t be secure, but it still amazes me to find vendors that say that their product alone will solve all your problems. Sigh.
Read more
Data Discovery likely to become mandated in PCI DSS v1.3 / 2.0
At long last, the standard finally looks like it will mandate that merchants / service providers conduct regular scans for accidental (leaked) and legacy stores of card data on networks. I have long advised this, but always got the kick back from merchants that ‘well, it’s not in the standard so we’re not going to [...]
Read more
£500,000 fine for everybody that makes a mistake and loses personal data!!
…that’s the message I’ve been hearing from vendors whom are all leaping on the marketing bandwagon and trying to make a quick buck out of the Data Protection Act (DPA). Whilst a spot of scare-mongering encourages some healthy debate, this is verging on the ridiculous. If I see another mailshot with the words “£500,000. Can [...]
Read more
Onsite QSA Requirement for Level 2 Merchants – REVERSED!!
So it appears MasterCard took a quiet U-turn over the festive break and dropped the requirement for an onsite QSA audit for level 2 merchants for July 2010: http://www.mastercard.com/us/sdp/merchants/merchant_levels.html A more sensible date of 30 June 2011 is listed, along with the footnote that Merchants can use their own staff as long as they have [...]
Read more