On PCI-DSS

Every time you hear another breach of security at a retailer site you cringe. You cringe but carry on because you know it happens all the time, or that it's become too common.

I've blogged on this particular problem before, but it's quite simple to understand that standards really are not of much help unless supplemented with a lot education and awareness. I throw around these two words quite a bit - they MATTER! Educate your IT staff on proper security etiquette and you'll save yourself a whole lot of heartburn later.

Remember, 99% of such problems occur because of human error. Computer faults are also usually caused by humans, so don't go around blaming a defenceless piece of hardware or software.
How, you ask?
1. Non-secure code/programs/applications (easily subject to buffer overflow or crash, not enough checks, not enough or no authentication needed to run them and so on)
2. Misconfiguration of the application/site, including firewalls and authentication schemes
3. Poor or no training of the staff that's supposed to manage the data
4. Lack of encryption/plaintext files

Of course, the above constitutes just a very short list of possible sources of breaches, but they're probably the most common.

In any case, I looked at the 12 requirements of the PCI-DSS compliance, and I find they are too generic and lay out a framework rather than concrete instructions. I know and understand how complex the whole thing is, but it'd be good if the PCI could provide merchants with more detailed knowledge of what to do and how to go about doing it.

For all I know this must be happening (I know nothing about how these guys work behind the scenes), but from what the CISO of FirstData said, it looks like they really need some handholding or at least more clarification.

Be safe!