AKIBIA'S PRACTICAL GUIDE TO ENTERPRISE TECHNOLOGY
Entries with Label: PCI
PCI DSS v1.2 and its Requirement from WEP to WPA Wireless Encryption
Wednesday, May 06, 2009
Although PCI SSC changed the wireless security standards 6 months ago with the release of PCI DSS v1.2, many merchants are still using WEP in the storage, processing or transmission of credit card information.
The Checklist Approach to IT Security is Failing You
Monday, May 18, 2009
In the past few weeks I have spoken to a number of companies about IT security, and a familiar theme has emerged – too many companies lack a sound framework for overall IT security. Instead many companies are overly focused on completing a check list – firewall, encryption, PCI compliance.
Death by A Thousand Processes: Getting Compliance Right Requires a Change in Thinking
Wednesday, July 08, 2009
It seems like every day we wake up to find a new compliance mandate staring us in the face. These mandates put pressure on our infrastructure, mind share and our budgets. Industry estimates show the cost for compliance can be anywhere from 8-12% of the IT budget of a Fortune 500 company to as much as 25% of the overall IT budget for a mid market company.
A Boston Globe Article Ignites a Password Controversy - Why We Need Them, How to Make Them Effective
Wednesday, April 14, 2010
The article by Mark Pothier in the Sunday Boston Globe entitled “Please Do Not Change Your Password” has caused some controversy among IT staff members, security managers, and technology users. The article provides a compelling argument that the costs associated with frequent password changes outweighs the costs of security breaches caused by weak or static passwords. Although a position on either side of this debate may be supportable, the reality is that there are a number of standards that organizations (your employer for example) must follow including periodic password changes, password complexity requirements and password history requirements.
Compliance and Security Go Hand in Hand – How to Achieve Both
Friday, May 28, 2010
The buzzword “Compliance” has now overshadowed many of the previous popular terms in security discussions. Many equate “compliance” with “security,” but recent literature abounds with titles such as “Compliant Does Not Mean Secure” and “Information Assurance: The Difference between Secure and Compliant.” These articles make the case that it is possible to be compliant yet not secure. Most discussions focus on payment card industry (PCI) security, because of the high value of the data involved, the stringency of the compliance standards, and recent security breaches of major players. It is also useful for illustration purposes, since the typical PCI technical environment is usually confined, and the standards are very specific. However, it is important to expand the discussion beyond one security standard, especially since others are more comprehensive, although less specific.
Too Many Requirements; How One VP of IT Handles It
Thursday, September 30, 2010
In 1996 IT departments were only concerned with two mandates, but today there are over 200 and more than 2500 security controls associated with them. The cost, both in budget and time, associated with understanding, addressing and proving compliance with these ever expanding mandates is considerable. Because requirements expand and change on a regular basis, the project of managing compliance is never complete, leaving CIOs and their IT departments constantly at risk of non-compliance.
You can outsource the work, but not the responsibility
Tuesday, February 01, 2011
Many organizations are under the impression that if they outsource their credit card transactions, then they are not responsible for their PCI compliance. While this may minimize the scope of the PCI environment, it does not alleviate the responsibility for their PCI compliance.
Has it really come down to a bag of chips?
Tuesday, September 20, 2011
A recent vendor machine company had some of its POS systems compromised at waterparks in Wisconsin and Tennessee. This was a major breach…up to 40,000! Go figure. People can’t even buy some snacks or what not from a vending machine without having their credit card information compromised.
