Reading Uri Rivner’s blog this week (http://blogs.rsa.com/rivner/anatomy-of-an-attack/), RSA have been rather brave to disclose how their systems were recently breached. According to Uri, an Excel attachment with embedded Adobe Flash content was sent to a small group of low profile users within RSA, with the title “2011 Recruitment Plan”. At least one user had opened […]

Blackfoot have arranged a half-day educational event around PCI DSS in London on Wednesday March 9th from 13:30 to 19:30, where the following speakers will be presenting their views on the topic. The Standard – Jeremy King – PCI SSC The Acquirer – Eamonn Skyrme – RBS Worldpay The Card Scheme – Andrew Mulvenna –

Visa Europe have recently announced that retailers that are using chip and PIN at a store level only have to complete milestones 1 and 2 in order to validate their compliance. Furthermore, if the retailer extends compliance to cover milestones 3 and 4, they would be exempt from any penalties in the event of data

I’m still coming across a number of brick and mortar merchants whom have been advised by their QSA to put their store environments into scope of PCI DSS and spend millions of pounds implementing end-point security and network monitoring solutions. Exactly what benefit does this give? Not even high street banks go to this level

If you’re going through a PCI DSS assessment and hit point 12.8, you might think of a Service Provider with whom you share card data with to be a bank or payment processor. After all, any other company with whom you have a relationship surely couldn’t impose a risk to you customer’s card data? You

I was at Visa Europe’s QSA Briefing yesterday, and one question that cropped up was whether or not a Concierge style service would bring that Concierge into scope as a Service Provider. By Concierge, I mean an entity that keeps Consumer’s card numbers on file so it can book things like flights or hotels on

We’re all hearing a lot about end to end encryption as a security solution for the payments industry at the moment. The message that’s been pushed out is that merchants all need to change their PEDs and introduce more recent, encryption-capable models, so that as soon as card details hit the PED, the PED encrypts

According to Visa, there have now been a significant number of successful attacks against merchants whom use hosted payment pages. A hosted payment page is one that you can embed in your website, but directs all Customer transaction details to a third party – think Datacash, Cybersource et al. Hosted payment pages offer two distinct

I’m sure most of you would have already seen this, namely a document that summarises the upcoming changes to PCI DSS and what’s going to be in Version 2.0: https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf Official pre-release with Participating Organizations will happen early September, with release to Merchants, Service Providers and QSAs at the end of October. Yes, that’s right.