|
I would like to update you on most notable news from the PCI 2012 community meeting which took place in Orlando, Florida.
1. There were no announcements regarding any major changes in either PCI DSS or PA-DSS, but there is a tendency of expanding these standards into the new areas such as Tokenization, Mobile Payments, and P2PE (see below). 2. Tokenization guidelines will become a standard in near future which means the rules around tokenization must be followed and any token implementation must be assessed by auditors. It is still unclear whether it is going to be separate standard or part of the existing one such as PCI DSS. The standard will cover all aspects of tokenization such as token generation, token storage (token vault), usage, etc. Final delivery of the standard: 2013-2014. 3. Mobile Payments - The Mobile payments solutions are going to be divided into 3 major categories with several sub-categories – based on different technologies and hardware/software configurations. For example, smart phone based solutions fall under 3rd category. The idea is to gradually release guidelines for each and every category/sun-category, and eventually create a mobile payments standard, so most probably, the mobile payments guidelines eventually will become a standard - similar to Tokenization. There were no timelines provided for the future guidelines or standards. - New PCI Mobile Payment Acceptance Security Guidelines for Developers were released during the meeting. 4. P2PE - Next Steps: The next step is releasing the Hybrid P2PE Requirements (there is an existing draft), and the next one is going to be software P2PE. No dates were provided. - SAQ-P2PE-HW: I don’t know if you have noticed but there is new SAQ-P2PE-HW (Self-Assessment Questionnaire for Hardware/Hardware P2PE) available on PCI website since June. It still cannot be used because there are no listed PCI P2PE solutions yet. Once the P2PE solutions listing is published on the PCI website, merchants that implement PCI approved P2PE solution will be eligible to complete special SAQ which is supposed to be “easier” than regular one. Note: this is still only applicable to merchants that are eligible for SAQ. Others will still go through the regular QSA assessment. 5. New PCIP (PCI Professional) certification program was just launched (in September). The idea is that each organization would have PCIP-certified employees who understand the PCI and help to maintain PCI compliance. The difference between PCI ISA and PCIP is that PCI ISA is linked to specific employer while PCIP is a personal certification. Criteria: All candidates - training course and exam; CISSP holders - only exam; PCI ISA holders - no training or exam, can be earned automatically (I signed in already). Does it only happen to me? Are they serious? Thanks to Apple online store which worked just well - under the same stress.    Words that most people understand:
Free, Unlimited, Service, File, Versioning, Folder, Hard Disk, Computer, Mobile, Web, Access, Sharing, Sync, Protected, Safe Words that many people don’t understand but can stand, get used to, and even like: Cloud, Drive, Failure, Secure, Backup, Storage, Application, Privacy, Encryption. Words that normal people don’t understand and don’t want to understand, although they use these things every day: Server, Client, File Server, Network, Balancing, Local, Port, IP, Address, DNS, Domain, Subdomain, Cache, Node, Peer, Cluster, Redundancy, HTTP, SSL, TLS, SSH, SFTP, AES, Compression, Cryptography, Symmetric, Asymmetric, Public Key, Private Key, Connection, RAID I was on my way back home to Dallas from Las Vegas where I attended Black Hat 2012 and DefCon XX security conferences. I had connecting flights with connection in Phoenix. I was traveling with my wife and kids. We had only one seat upgraded so I used my privilege of being a head of household and took the first class while my family sat in one of the first rows of the main cabin (still pretty close because it was small airplane).
About one hour after the takeoff, when I went to check my wife and kids, one of my daughters needed a restroom but the isle was blocked by the service cart so she could not use the lavatory for the economy class at the back of the plane and I decided to take her to the first class. However, the flight attendant told me that we must return to our seats immediately because "the pilot is coming out". We had nothing to do but obey the instructions and go back to our seats, while two flight attendants were standing between the first class cabin and the small service space that separates the cockpit door from the rest of the plane. I guess there is security procedure that requires two flight attendants forcing all passengers to sit down and watching them while one of the pilots is coming out to the restroom... Although the cockpit doors on all US commercial airplanes were reinforced after 9/11, there are situations like this during the flight -- especially if it is relatively long one -- when bulletproof cockpit door is simply unlocked. Just a few feet separate first row of the first class seats from the cockpit door. Someone could just jump from the closest seat right at the moment when the door is unlocked and enter the cockpit. I am assuming that bigger planes have the lavatory inside the cockpit as well as the distance between the passengers’ seats and the cockpit door is much longer there so the pilots may have enough time to lock the door if something is going wrong. However, it looks like small airplanes still aren’t so safe.  Black Hat 2012 in Las Vegas, July 26 I am helping Bruce Schneier with translation of his Crypto-gram newsletter to Russian. My small contribution to his great work...
Interesting quotes and notes from Black Hat 2012 Day One:
Jeff Moss: "I fear Google more than I do the government." "The best money you can spend [on security] is on your employees." According to Microsoft, Windows 8 uses enhanced mitigation techniques which are supposed to eliminate some threat types completely. 64 bits version is more secure than 32 bits. (I will follow up with more details later on). This guy -- ZonD Eighty -- managed to trick the Apple app store payment system (by using the alternative payment website -- in-appstore.com -- and fake certificates) in order to get for free the services which are normally supposed to be paid through the Apple app store. Here is how it works (pretty simple!):
"First Sign off your appleID in Settings->Store->Tap on your appleid->Sign Off Second Open this page into your iDevice. Install these certificates (just tap on links): First, Second. The order of installing is very important! Install first certificate first, second - second. Third Go to application where you want to buy in-apps, and make attempt to buy something. Tap "Cancel" on "Do you really want to purchase?" window. Fourth Open Wi-Fi settings on your iDevice and tap arrow on the right of your Wi-Fi network. Remove all data from DNS field and set it to this IP address: 94.228.221.10, 91.224.160.136(more to come) U're done!Go to your application and try to buy something!" |
  
Books
 Crypto Basics
 Bitcoin for Nonmathematicians: Exploring the Foundations of Crypto Payments
 Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions
Recent Posts
Categories
All
Archives
March 2025
|
Slava Gomzin
Author of books Crypto Basics, Bitcoin for Nonmathematicians, Hacking Point of Sale
RSS Feed
Copyright © 2011-2022 Slava Gomzin
