Mar 07 2009

Saturday morning reading, 03/07/09

Published by at 8:58 am under PCI

There have been a lot of stories directly related to PCI this week and not much time to write about them.  Of course, this weekend isn’t much better, so I’ll continue my recent trend of posting the stories that caught my eye along with any comments.

Saturday morning reading:

  • Mosso – First PCI Compliant customer through self-evaluation and scanning – The title itself points out the problem I have with this article; the client self assessed, this wasn’t done by a QSA.  The next two articles provide more information on how they came to the conclusion that this solution was “PCI compliant”.
  • Cloud hosting is secure for take-off:  Mosso enables the Spreadsheet store, an online merchant to become PCI Compliant – Mosso is the service provider that’s hosting the Spreadsheet store site, but they are passing off all credit card transactions to a secure payment gateway, and no cardholder information is being saved in the Mosso cloud.  
  • How to utilize Cloud sites in an e-commerce solution – In this pdf, Mosso makes it clear that the customer is redirected to a payment gateway to enter the credit card information and that all the merchant ever sees is a transaction ID and dollar amount.  The payment gateway has to be PCI compliant, but that’s something you should be expecting from your gateway anyway.
  • PCI Compliance and Cloud Computing – Nick Coblentz takes a look at the Cloud and being PCI compliant.  One of the things his article highlights is that there are still more questions than answers in the Cloud.  
  • PCI Council issues priority tool for compliance – This is one I need to take a much longer look at myself.  A prioritized checklist isn’t a bad thing, provided the person using it looks at it critically as it relates to their unique environment.
  • Why I employed a felon – Jason Calacanis talks about why he hired and continued to employ a John Schiefer at Mahalo, now a convicted hacker.  This isn’t a theoretical debate about the merits of hiring a former hacker, but the real world interaction between two individuals.  I have to applaud Jason for giving John a second chance.
  • Security consultant turned hacker gets prison for running botnet – And here’s the impersonal version of the story.
  • The PCI Fraud argument conundrum – Is the PCI-DSS reducing credit card fraud?  Heck if I know, but I believe it’s at least limiting the growth, which isn’t quite the same thing.
  • Secure Payments Day – There’s a number of interesting speakers lining up for this event this June in San Francisco.  I’m hoping that I’ll be able to make it.
  • The NetSecPodcast‘s new logo is can now be seen on the FIRST sponsor page.  I’ll be recording a series of interviews with the FIRST steering committee, keynote speakers and members of the FIRST communittee over the next couple of months and attending the event at the end of June.  here’s to having my birthday in Kyoto this year!

I think that’s enough reading for one weekend.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

2 Responses to “Saturday morning reading, 03/07/09”

  1. John D.on 07 Mar 2009 at 11:15 am

    I don’t know how much of Mosso’s argument can hold water considering their compliance because they don’t store any cardholder information. It’s been a while since I’ve done any real PCI related work; but I do recall something about what is and isn’t in scope along the lines of: if the cardholder information is stored, processed or transmitted, it’s in scope. The way I liked to describe it is if the information hits memory, cpu or wire, it’s in scope.

    Just because an organization doesn’t store the information and only transmits it to another processor shouldn’t mean that it isn’t in scope. It should just mean that the information is handled in a method that is consistent with the PCI-DSS requirements, e.g. Reqs 3 and 4.

    I’m not implying that they might not be compliant. I’m just suggesting that a full QSA assessment report might change the wording a bit.

  2. Martinon 07 Mar 2009 at 12:43 pm

    If you read the third article, it sounds like they’re actually handing the customer off to the gateway service provider for the payment. Depending on the integration, the customer might not even know it. If the Mosso client isn’t ever receiving the cardholder information, then they don’t have an in-scope network.

    I need some convincing, but it sounds like a viable solution, provided the gateway provider is well assessed.

%d bloggers like this: