Ed’s October article for TechNewsWorld takes a look at why it’s so hard for companies to determine the true cost of security initiatives and controls.

Organizations love false economies. It may not be an entirely conscious act on their part, but it’s certainly the truth: Hang around any organization long enough and you’ll find at least one instance where it tries to save on doing A but winds up spending more on doing B in the process.

Consider, for example, expense policies that require employees to stay one or more extra nights when traveling. Because airfare is lower when weekend travel is involved, organizations might be tempted to ask employees to do this to keep air costs down; however, very seldom do recouped airfare dollars come even close to combined dollars lost in extra hotel stays, extra meal expenses, lost productivity and reduced employee morale. The combination of hard and soft costs far outweighs possible savings in the area of airfare.

For the rest of Ed’s article, please click here.

TechTarget just published my analysis on the PCI Tokenization Guidelines:

For years, security experts have touted the value of credit card tokenization for limiting PCI scope. The National Retail Federation (NRF) listed tokenization in its January 2009 “Key PCI Best Practices” document, and Gartner Inc. analysts John Pescatore and Avivah Litan explained how tokenization can be used to reduce PCI scope in their August 2009 research note, “Using Tokenization to Reduce PCI Compliance Requirements.”

Now, following the long-awaited release of its PCI Tokenization Guidelines in August 2011, the PCI Security Standards Council (SSC) has made it official: tokenization can reduce scope for PCI audits. Organizations that were waiting for the council’s opinion can now forge ahead with implementations, knowing that credit card tokenization is approved for use in a PCI DSS-compliant cardholder data environment (CDE). That in itself will be welcome news to many merchants.

To read the rest of my analysis, please click here.

After our PCI virtual seminar last week we had so many questions we were not able to address them all during the live Q&A. TechTarget asked us to answer them and post the responses in the Compliance Counselor section of their site – which we did.

So, please to enjoy our 30 answers to your PCI DSS v2.0 questions!

In case you were not able to attend last week – Ed and I delivered a one day virtual seminar for SearchSecurity on PCI 2.0.

The latest update to the Payment Card Industry Data Security Standard (PCI DSS) provided guidance on a few gray areas that had been of major concern to merchants and payment processors. This virtual trade show examines the changes from PCI DSS v1.2 to PCI DSS v2.0 and what it means to enterprises, technology implementers and auditors. Our security experts will offer a step-by-step walkthrough of PCI requirements 1-12. Security professionals will learn what they can do to make PCI DSS effective and manageable in 2011 and beyond.

Sessions include:

Understanding PCI DSS compliance with a Q&A with Jeremy King, European Director of PCI Security Standards Council
PCI DSS: The Next Generation: Making it Work for 2011 and Beyond
PCI DSS 2.0: Inside PCI Requirements 1-6
PCI DSS 2.0: Inside PCI Requirements 7-12

The seminar is free but does require registration with SearchSecurity here.

Wondering how access control fits into the PCI landscape? Ed explains in the SearchSecurity Compliance Counselor -

As most realize by now, compliance with the PCI DSS is difficult. Unlike other security-focused regulations, such as HIPAA and SOX, much of the PCI DSS is highly prescriptive. Whereas many other regulations define high-level controls without much technical implementation guidance, the PCI DSS usually defines acceptable parameters for required controls with comparatively intricate technical detail.

To read the rest of the piece, please click here.

Ed’s column over at TechNews World this month takes a look at the HITECH impacts for healthcare service providers:

With the passage of the HITECH Act, the administrative, physical and technical requirements of the HIPAA Security Rule now apply in equal measure to folks in the healthcare market channel. And quite frankly, the channel is under-prepared. Assuming we want to serve our customers the best way we know how, what are some strategies to go from where we are now to where we need to be?

Have you ever found yourself paying the penalty for a rule you didn’t even know you were breaking? Like getting a ticket for speeding when you didn’t realize the speed limit had changed? Or paying a work-related travel expenses out of our own pocket because you didn’t realize your firm’s travel policy had a restriction that you didn’t know about?

It stinks, right? The stock answer of “ignorance of the law is no excuse” — though we probably agree with it on one level — seems like a tremendous injustice when we’re the ones on the receiving end. But unfortunately, this is exactly the position that many service providers and vendors (i.e., in “the channel”) in the healthcare market could find themselves in if they don’t take action. The rules of the game have changed, and not following the rules could bring about penalties — but many of us don’t even realize any of this is happening.

For the rest of the article, please click here.

Have PCI 2.0 in your sites for 2011? At eSecurity Planet this month, I did an overview of what companies should be thinking about now for PCI 2.0 compliance:

The latest version of the Payment Card Industry Data Security Standard (PCI DSS v2.0) went into effect on January 1, 2011. If your work for an entity that stores, processes, or transmits credit card data in electronic form than your organization is required to comply with the standard or risk disciplinary action: being fined for lack of compliance by the acquiring bank or, in very extreme cases, no longer allowed to accept credit card payments.

If your company’s been in business a while, PCI and PCI compliance are nothing new. The standard has been around since December 2004 and the individual card brand compliance programs that form the basis of PCI have been in place even longer. Chances are your company has already been through a few PCI DSS assessment cycles and you have a few successful RoCs (report on compliance) under the belt. However, you may be wondering if the changes in the recently issued v2.0 of the standard will change your compliance process or require new controls or procedures in order for your organization to be compliant. In this short overview, we’ll take a look at the differences between v.1.2.1 and v2.0 of the PCI DSS and what, if anything, that will mean to your company.

To keep reading please click here.

Ed and I just completed a report for Dark Reading on dealing with insider threats from a compliance perspective.

When you talk about security and compliance, you typically think about protecting the organization from external attackers who want to steal sensitive corporate information. But in many cases, the reason companies fare poorly with audits has nothing to do with those bad guys but, rather, with internal threats.

Small wonder. These are, after all, people we trust (there’s a reason Dante put traitors at the lowest depths of hell). But the facts tell us we are at high risk from internal attack. Studies conducted jointly by CERT and the U.S. Secret Service show about half the companies responding have experienced at least one insider incident, and about a third of all electronic crimes were committed by insiders.

To read the full excerpt at Dark Reading, click here. For the full (free – but registration is required) report click here.

Julie Knudsen has an article on security developments that focuses on internal threats, compliance, end-to-end encryption, and the ubiquitous cloud in the December 17th issue of Processor magazine.

Recognizing the risks posed by employees is sometimes difficult. As [Diana] Kelley puts it, “There’s a psychological barrier that many of us have that says, ‘You’re my employee and I trust you.’ And we really do unfortunately need to get over that. It is the insider that actually has the better access.”

I did the interview a few weeks ago – but the recent WikiLeaks incident is a good recent reminder of the kind of havoc that a trusted insider can wreak. For a nice round-up of lessons for Cyber Security from the leak, take a look at this post from Jon Oltsik at NetworkWorld.

For Julie’s full article from Processor magazine, please click here.

I came across an interesting post today on BankInfoSecurity about how small merchants are having a hard time getting into compliance with PCI.  This is an interesting piece of data and one that bears out what I’ve been saying for a while now: which is, that the “double standard” between the big merchants (tiers 1 & 2 in the Visa parlance) and the little guys (tiers 3 and 4) doesn’t foster an atmosphere where the little guys can really have a shot at being in compliance.

Why do I say that?  The big guys, as you probably know have to do an annual audit and submit a report on compliance while the little guys have to submit a self-assessment questionnaire about their level of compliance – basically one question per standard saying yes/no you are or are not compliant.  Of course, the standard applies equally across all sets of merchants.  In other words, everybody most comply.

So, what do small merchants do in practice?  One of two things: either they don’t know that they have to do anything, in which case they do nothing.  Or, alternatively, they do their best to answer the questions on the SAQ to the best of their ability – but as anybody knows who’s read the DSS, the trick isn’t in the high level requirements, it’s in the subrequirements and the audit criteria for those subrequirements.  No matter which strategy the little guys choose, they aren’t going to get a good reading on whether they are or are not compliant.

We’re what – 5 years in to PCI now?  And still there are numerous small merchants that have no idea what PCI even is – let alone whether they are compliant or what/if they need to do about it. And these aren’t tiddly mom and pop retailers necessarily.  Educational institutions (yes even large universities), hospitals, hotels – these are all folks who might process smaller volume of transactions than somebody like Amazon.com – therefore falling into the lower tiers.

Now, on the back end, the acquirers need to  pass along merchant compliance status of their merchants, so who knows what kind of tomfoolery is going on there for these folks that haven’t heard of PCI.  But in short, there’s relatively little enforcement.  With the possible exception of Wells, who seems to be making a stir from folks I’ve talked to and is rattling cages of these larger low-volume merchants.

Anyway, I just thought it was an interesting data point that bears out a suspicion I’ve had all along – namely that since there’s no/little enforcement with these lower tier merchants, there’s not much compliance going on.