I just checked the SPSP website under Events and noticed the CPISM certification training and exam are filling up.  The list of people attending includes Fortune 500 companies and lots of people from the Payments Industry.

Take a look and see if you can get funding to attend the training and exam on August 13-15, 2008 in Salt Lake City, UT.  I’ll be there along with others to network and discuss the Payments Industry.  After the intensive classes during the day, I’ll be leading up activities in the evening.  Remember, I was married in Salt Lake City, so I can get the lowdown on events and places to go.

This should be a memorable event for all those involved!

Also, if you are interested, the SPSP is looking for other bloggers who write about PCI to get their feeds listed on the SPSP site.

Popularity: 5% [?]

AirDefense and Motorola have partnered to hole an executive dinner on wireless security in NYC on July 17th, 2008.  They invited us to present and I’ll be talking about wireless security as it relates to PCI DSS compliance.  I’ll also be discussing the difference between compliance and validation as it pertains to current data compromises.

If you’re in the NYC area and care about wireless security, you should register for the event and attend.  I’ve always said that it’s better to have more tools in your toolbox.  Attending this session will broaden your understanding of the standard and help you maximize your security capital by focusing on day-to-day security while saitsfying your compliance needs.

I knew a company once that reverse engineered their database system so they could extract the encryption/decryption keys just so they could print them out and store them under “dual control” in two different safes.  That company successfully increased the risk to cardholder data just to meet a perceived compliance need.

I’d like to help you better understand the standard, especially those surrounding wireless security, so you can be more effective in securing your infrastructure.

Popularity: 6% [?]

Many people ask me how they can become a Qualified Security Assessor (QSA).  The only want to become a QSA is to work for a QSA company, be accepted by the PCI SSC, and attend industry specific training.  But what about the rest of us who want a badge of legitimacy without changing jobs?  For this there is the CPISM.

The Certified Payment-Card Industry Security Manager (CPISM) is the de facto certification for those within the payment-card industry who want to prove their security and industry knowledge.  To prepare for this rigorous exam there are a few documents available online to assist you.

First there are the CPISM Knowledge Domains.

• Payment card industry structure
• Payment card structure and data
• Payment card transaction processing
• Compromise fraud statistics and trends
• Merchant risk analysis
• Laws and the regulatory environment
• Payment card security programs
• Third party relationships

Check online for the following documents at the Society of Payment Security Professionals (SPSP):

• CPISM Overview Document
• CPISM Bibliography
• CPISM Study Guide

Still not ready?  Enroll in one of the in-person training classes and get direct education to help prepare you for the exam.  Check the SPSP website for dates and locations for the training classes.  The next one is August 13-14, 2008 in Salt Lake City, UT.

Popularity: 16% [?]

I got back last night from presenting at the Treasury Institute PCI Workshop that Walt Conway puts on every year.  It was a great success with over 130 participants from just about every major university and higher education facility.  It was nice meeting both TouchNet and infiNET, sponsors of the event and companies that I performed their first PCI assessment many years ago.  I also saw Breach Security a sponsor and company that helps prevent against bad things.

I gave a presentation talking about “Heroes, Chorus Lines, and Community”.  The three parts translate shortly into:

• Heros: those who have validated compliance, and their foes being those who have not.  Let’s first define the difference between compliance and validation, and then look beyond simply achieving validation and determine how you got there.
• Chorus Lines: The chorus lines are things we remember but how many of us remember the verses? We all know the details of compliance (i.e. requirements 1-12) but do we understand the intent and nuances of these?  Are we looking at the big picture or still asking, “what is a system-level object?” Also, have we moved beyond simple risk management to a state of Attack Vector based Risk Management (AVRM)?  This is where we look at how attacks occur and use that information to better allocate capital resources to mitigation measures.
• Communities: I highlight the importance of knowing who to trust and how to build trusted relationships in order to increase the flow of information and keep the signal-to-noise ratio in tour favor.  “Trust is the only real currency” is the mantra of this section and we outline a few communities for you to follow: SPSP, blog, podcasts. But most important is meeting others who are in the same situation and keeping in touch so you can do a sanity check on your status and actions.

This event was focused around the implementation of PCI DSS compliance projects for Higher Education.  In between were presentations such as mind, those from Benita Kahn on the legal aspects of PCI, and Bob Russo, Chairman of the PCI SSC.

Popularity: 25% [?]

Today the PCI SSC (Council) announced it will host a webinar titled ” “Understanding the Payment Application Data Security Standard” on Thursday May 22, 2008 at 11:30 a.m. EDT and a second session the same day at
7:30 p.m. EDT.

The event will cover the following topics:

• How to get started with PA-DSS;
• Information about the transition of PABP to the Council;
• High level overview of the PA-DSS requirements.

I highly recommend you attend to get all the information you can about this new standard.  Also, if you did not view the last webinar you can see it online at: Navigating and Understanding the PCI SSC Self Assessment Questionnaire.

Popularity: 25% [?]

Only if that city is in Poland.  I’m about to hop on a flight to Warsaw, Poland (check my Dopplr) to teach several classes on PCI.  We normally do about 5-10 global countries a year in addition to the numerous PCI classes we teach in the US.  I’m both excited and exhausted.

I’ve been traveling for many weeks straight and the past two weeks have been back to back conferences (RSA and ETA).  I’m about to embark on a 1.5 week trip and I hope I have everything I need.  While there I plan to make a side trip to Krakow for a day.  I have a friend with relatives there that might be able to give me a tour.

Last week at ETA, the PCI SSC released clarification documents about requirements 6.6 and 11.3.  Keep checking the PCI SSC website for the electronic copies.  I’m excited to see what new things and experiences those implementing PCI in Europe and EMEA have been experiencing.  There will be participants from Western and Eastern Europe, and I’m hoping to share the experiences that other PCI assessors are having all over the world.

One of the great advantage of teaching classes all over is the ability to learn and share information.  Also, since ETA was just last week I’ll be able to share more information about programs and information the PCI SSC has recently released.  I’m very impressed with all the people working so hard to churn out documentation.  I think there is more documentation, FAQs, and clarification papers about PCI than any other standard.

While I’m traveling I’m going to share information about the blog, forum, and the Society of Payment Security Professionals (SPSP), our Podcasts, and much more.

We are always looking to expand the list of people who are blogging so if you have an interest in contributing to PCI Answers, please email me.  We are always looking for subject matter experts (SME) and those wishing to blog in non-English languages.  If you already have a blog and want to get it syndicated then join the SPSP and add it to the payment security blog aggregation feed.

Popularity: 27% [?]

I arrived in Las Vegas today for the Eletronic Transaction Associaiton (ETA) conference.  It’s a whos-who of the payments industry.  Today for the first time, my email box was dry as people are all in transit to Vegas.

The Aegenis Group will have a booth!  Come by and visit; we are right next door to the JCB booth.  There will be some very interesting events happening tomorrow, and of those we will be officially rolling out several new projects:

• Society of Payment Security Professionals (SPSP) - I’ve seen the membership and it really is a whos-who cross-section of the industry.  Merchants, acquirers, QSAs, etc.  Be there or be square.  A few free memberships are still available, but going fast!
• Certified Payment-Card Industry Security Manager - Become the first one on your block to be CPISM certified!  Show off to others that you know your payment industry foo.
• Podcasts - Get your free and informative podcasts about the different nuances of PCI and regulatory compliance.  If you don’t have iTunes then check the raw files here.
• eLearning - If you want training and education for your merchants, but want it delivered in a simple online fashion then this product is for you.

If you’re at ETA and want to talk, come by our booth or give me a call.  Also, if you’re going to be in Warsaw, Poland next week let me know.  I’m looking forward to seeing all the QSAs there - new and old.  Going to be in Australia in June?  I am, so look me up.  I still have a phone SIM from my last trip to AU so I’ll publish the phone number when I figure it out.

Popularity: 24% [?]

I’ve spoken with several vendors at RSA and some are better than others at positioning their product within a specific market.  This year, everyone is talking about two things at RSA: risk and regulatory compliance.  Of those, what I really care about is PCI and specifically the payment services space.  I’ve learned some of the good and bad ways that vendors market their materials.

The following are a list of several common pitfalls of vendor marketing:

1. Promising the world - Every product seems to address PCI compliance… and GLBA, HIPAA, SOX, and if asked I’m sure the vendors would say they address XYZ LMNOP compliance.  The problem with this is that of over committing and under delivering.  Vendors can tell their VC firms their product will save the world, but never tell potential customers - unless you plan on delivering in a big way.
2. PCI DSS Mapping - The next step up from spelling PCI is to perform a 1-to-1 mapping of every single PCI DSS requirement to your product.  Again, this is an error of promising too much and never really delivering on any.  Companies that read the detailed PCI DSS requirements want to address as many of them as possible so they find ways that their products can meet their custom interpretation of each requirement.  Many marketing people consider this to be understanding their client’s needs, when in all reality there is no one product that meets every single PCI DSS requirement.
3. Being agnostic to the data - In an effort to be everything to everyone, many vendors say their product is agnostic of the data.  We can protect it all!  The problem again is that you become a generalist and do not show anyone that you understand the specific needs of their data.  Sometimes it’s good when your product can protect all data, regardless of type, but how do you communicate to each customer that you understand their needs?

When entering the Payment Services space it is paramount that vendors understand the specific business needs of the market.  Vendors need to understand the top problems companies have in addressing compliance and how their product eases those problems.  Without a solid understanding of the data and the market’s business needs a company may struggle communicating with their prospective customers.

Also, companies want their vendors to educate them.  I’ve written about this before, but it’s paramount that vendors understand their clients market better than their clients do.  A potential customer wants to visit a vendor website and be educated about the current business needs and other roadblocks they have not yet encountered.  If a vendor can accomplish this they can reach the coveted position of being a market leader - and more importantly, someone their customers can trust and respect.

For more information on entering the Payment Services market space, please check out our service offering.

Popularity: 25% [?]

The PCI SSC posted a link on their website to the Webinar on “Navigating and Understanding the PCI SSC Self Assessment Questionnaire“.

Free webinar!

Popularity: 24% [?]

I’ll see you all there… at the RSA Security Blogger Meetup.

Popularity: 21% [?]