Mar 07 2009
There have been a lot of stories directly related to PCI this week and not much time to write about them. Of course, this weekend isn’t much better, so I’ll continue my recent trend of posting the stories that caught my eye along with any comments.
Saturday morning reading:
- Mosso – First PCI Compliant customer through self-evaluation and scanning – The title itself points out the problem I have with this article; the client self assessed, this wasn’t done by a QSA. The next two articles provide more information on how they came to the conclusion that this solution was “PCI compliant”.
- Cloud hosting is secure for take-off: Mosso enables the Spreadsheet store, an online merchant to become PCI Compliant – Mosso is the service provider that’s hosting the Spreadsheet store site, but they are passing off all credit card transactions to a secure payment gateway, and no cardholder information is being saved in the Mosso cloud.
- How to utilize Cloud sites in an e-commerce solution – In this pdf, Mosso makes it clear that the customer is redirected to a payment gateway to enter the credit card information and that all the merchant ever sees is a transaction ID and dollar amount. The payment gateway has to be PCI compliant, but that’s something you should be expecting from your gateway anyway.
- PCI Compliance and Cloud Computing – Nick Coblentz takes a look at the Cloud and being PCI compliant. One of the things his article highlights is that there are still more questions than answers in the Cloud.
- PCI Council issues priority tool for compliance – This is one I need to take a much longer look at myself. A prioritized checklist isn’t a bad thing, provided the person using it looks at it critically as it relates to their unique environment.
- Why I employed a felon – Jason Calacanis talks about why he hired and continued to employ a John Schiefer at Mahalo, now a convicted hacker. This isn’t a theoretical debate about the merits of hiring a former hacker, but the real world interaction between two individuals. I have to applaud Jason for giving John a second chance.
- Security consultant turned hacker gets prison for running botnet – And here’s the impersonal version of the story.
- The PCI Fraud argument conundrum – Is the PCI-DSS reducing credit card fraud? Heck if I know, but I believe it’s at least limiting the growth, which isn’t quite the same thing.
- Secure Payments Day – There’s a number of interesting speakers lining up for this event this June in San Francisco. I’m hoping that I’ll be able to make it.
- The NetSecPodcast‘s new logo is can now be seen on the FIRST sponsor page. I’ll be recording a series of interviews with the FIRST steering committee, keynote speakers and members of the FIRST communittee over the next couple of months and attending the event at the end of June. here’s to having my birthday in Kyoto this year!
I think that’s enough reading for one weekend.