Lee has more than 13 years of consulting experience in information technology and security, specializing in third-party risk assessments, program management, regulatory compliance (PCI, GLBA, SOX) and assisting organizations in security initiatives. Lee has managed numerous regulatory and security assessment projects in financial services, education and retail. Lee is also a Certified Information Systems Security Professional (CISSP), a Certified Payment-Card Industry Security Manager (CPISM), and a PCI QSA. Lee holds a B.S. in Business Administration from the University of Wisconsin—Stout, and an M.S. in Information and Communication Sciences from Ball State University.
As an information security professional, my experience within the payment card security industry has taught me that credit card fraud is not just an information security or information technology issue, but increasingly also a financial one. In order to process payment cards, organizations must execute agreements with financial institutions ("acquirers") that legally obligate them to put in place appropriate controls to protect the underlying data. In most organizations, it is the finance and accounting teams that are most familiar with the business processes involved with the acceptance, chargeback and settlement of credit card payment data. Therefore, it is very important that the CFO and finance teams be involved in any effort to construct a sound credit card security program or approach. Such a program should seek to both minimize the risk and the cost of compliance.?The payments community has learned that stolen credit card data is a valuable commodity among criminals; just ask the folks at TJX or Heartland Payment Systems, where breaches resulted in the exposure of credit card data for millions of people.
PCI DSS
The compliance requirements (and the fines for noncompliance) are starting to be pushed down from the credit card companies to financial institutions or acquirers who are, in turn, pushing down to their customers ("merchants" and or "service providers"), contractually requiring organizations to become PCI-compliant. Organizations that have one acceptance channel for credit cards (e.g., a POS or via the web) and use third-party software should self-assess via the Self Assessment Questionnaire (SAQ). Financial professionals should use the published prioritized approach from the PCI Security Standards Council (SSC) to address specific risk areas within their organizations regarding credit card data. Those organizations that have multiple acceptance channels (storefront, Point of Sale and/or via the web) and that store credit card data should involve a Qualified Security Assessor (QSA) if assistance is needed.
Upcoming dates for the standard
There are two important PCI-related dates that are fast approaching, which finance people should be aware of. July 2010 marks the date after which all merchants must use certified payment applications. A payment application is any application that accepts, transmits or processes credit card data. An example of a payment application is a card swipe machine at a grocery store or a pay at the pump application at a gas station. September 2010 involves the PCI DSS itself, which will have updates to the standard released that month. These updates will take effect in January 2011.
[post_title] => PCI Compliance: Now a Finance Issue as Well
[post_excerpt] =>
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => pci-compliance-now-a-finance-issue-as-well
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-13 00:06:11
[post_modified_gmt] => 2021-04-13 00:06:11
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://netspiblogdev.wpengine.com/?p=1276
[menu_order] => 874
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[1] => WP_Post Object
(
[ID] => 1278
[post_author] => 13
[post_date] => 2010-05-14 07:00:38
[post_date_gmt] => 2010-05-14 07:00:38
[post_content] => I am currently on my way back from Las Vegas and the PCI (Payment Card Industry) Assessors Meeting. I guess it is appropriate that the Delta flight that I am on is a cashless flight; you are now able to buy all the $5 Pringles you can eat with a credit card. But I digress; the real update here is regarding the PCI Assessors Meeting that I attended Thursday afternoon. In all there were approximately 30 representatives of QSA (Qualified Security Assessors)/ASV (Approved Scanning Vendors) companies in attendance. The event was not well attended from the perspective of many people that I spoke with, some attributing the lack of attendance on the session not being well publicized. The meeting provided a summary of the last couple of months within the payment card industry. The monthly newsletter was discussed as well as the relevance of topics covered within the newsletter. Evidence gathering and how evidence is verified provided some information on the top 10 areas for improvement for DSS (Data Security Standard) and PA-DSS (Payment Application - Data Security Standard). Speaking of the PA-DSS, it was reported that there has been a 17% increase in the number of the ROVs (Report on Validation) being submitted. The recently released ASV Program Guide was summarized during the meeting, including the new reporting templates. The question and answer session lasted longer than the presentation and covered a broad area of topics. There were questions related to assessment methodology and the need to have consistency in approach amongst the QSA firms. The QA Program will be updated in the fall to coincide with the update to the DSS. The updates or potential updates to the standard where not discussed as the card brands and the SSC (Security Standards Council) want to make sure that they adhere to the feedback lifecycle timelines that have been established. Overall the meeting would have been better received if there was more information provided regarding the proposed updates to the DSS. However, the card brands and the members of the SSC were willing to engage in productive conversation that will benefit the standard in the long term.
[post_title] => PCI Assessors Meeting
[post_excerpt] =>
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => pci-assessors-meeting
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-13 00:06:11
[post_modified_gmt] => 2021-04-13 00:06:11
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://netspiblogdev.wpengine.com/?p=1278
[menu_order] => 875
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[2] => WP_Post Object
(
[ID] => 1295
[post_author] => 13
[post_date] => 2009-11-12 07:00:38
[post_date_gmt] => 2009-11-12 07:00:38
[post_content] =>
Brand reciprocity refers to how the card brands acknowledge the different merchant levels of the other card brands. For example, if an organization is a Level 2 Visa merchant but a Level 4 MasterCard merchant (both designations based upon transaction volume), brand reciprocity means that the merchant would be classified as a Level 2 merchant.
The classification level determines the type of validation required (SAQ or ROC). Of the other participating card brands, only Discover acknowledges brand reciprocity; AMEX and JCB do not. However, Visa Canada still recognizes brand reciprocity within merchant levels. Brand reciprocity gained increased importance this past summer, when MasterCard announced that Level 2 merchants would have to validate compliance through an onsite audit and a ROC done by a QSA. The announcement specified that Level 2 MasterCard merchants would have to validate compliance through this more rigorous process by the end of 2010. Under brand reciprocity, this requirement meant that if a merchant was, say, a Level 2 Visa merchant (previously validating compliance through a SAQ) and a Level 3 MasterCard merchant by volume of transactions, the merchant would be considered a Level 2 MasterCard merchant and would thus be required to validate compliance through a ROC by an outside QSA firm. With brand reciprocity revoked, we need to take a look at a merchant's transactions by card brand. By looking at these individual card brand transaction volumes, we can assist the merchant in making a determination of its merchant level status and the corresponding type of validation required. Also, remember that brand reciprocity is still in effect for Visa Canada.
[post_title] => Brand Reciprocity Revoked by Visa and MasterCard: What It Means for Merchants
[post_excerpt] =>
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => brand-reciprocity-revoked-by-visa-and-mastercard-what-it-means-for-merchants
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-13 00:06:01
[post_modified_gmt] => 2021-04-13 00:06:01
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://netspiblogdev.wpengine.com/?p=1295
[menu_order] => 890
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[3] => WP_Post Object
(
[ID] => 1302
[post_author] => 13
[post_date] => 2009-11-02 07:00:49
[post_date_gmt] => 2009-11-02 07:00:49
[post_content] =>
The trip back to the U.S. from the European PCI Community Meeting in Prague took about 12 hours. For someone who lives and breathes PCI, that equals one hour for each of the 12 requirements of the Data Security Standard (DSS). Here are my impressions of the conference.
First, the PCI Security Standards Council did another great job of bringing the payments community together to discuss current topics and provide feedback regarding the DSS. Second, I met a lot of interesting people and made numerous contacts during the networking sessions.
Third, the meetings were well attended and provided valuable information. I was able to discuss the current state of compliance with European representatives from acquirers, card brands, merchants, service providers, and fellow QSAs. One thing that stands out from these conversations is that the U.S. remains in the forefront of payments security.
Fourth, from a QSA or practitioner point of view, two topics of special concern emerged during the open-microphone sessions: issuers and logging. These two areas were also brought up at the North American Community Meeting in September. So the feedback from the community on both sides of the Atlantic indicates a need for more clarification and guidance on how organizations that are classified as issuers need to comply, and for more guidance on how to review logs.
Fifth, if you ever have an opportunity to visit Prague, make sure to do so. The city is amazing, and the Czech people are very hospitable to visitors. It was a perfect venue for the European PCI Community Meeting.
[post_title] => European PCI Community Meeting: Some Impressions
[post_excerpt] =>
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => european-pci-community-meeting-some-impressions
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-13 00:06:05
[post_modified_gmt] => 2021-04-13 00:06:05
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://netspiblogdev.wpengine.com/?p=1302
[menu_order] => 896
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[4] => WP_Post Object
(
[ID] => 1321
[post_author] => 13
[post_date] => 2009-07-15 07:00:38
[post_date_gmt] => 2009-07-15 07:00:38
[post_content] => As many organizations that have hired QSAs recently have seen, the Report on Compliance (ROC) has changed quite dramatically for v1.2 of the PCI DSS standard from previous versions. Although previous versions of the DSS required that a QSA address all the controls and properly document them, in fact many ROCs failed to provide adequate documentation that could be upheld in court. In general, as many QSAs have seen, the quality of work being delivered has varied widely. The QA process and scoring matrix released by the PCI SSC for v1.2 even the playing field for all QSA firms and provide excellent guidance on documentation requirements. Some QSA firms were severely cutting their fees and providing sub-standard work. For example, two days onsite for an audit, in almost all circumstances, just do not give adequate time to understand and assess a complex environment. As a customer looking for a QSA firm, don’t be lured by price alone. Obviously, price is a factor, and the market is especially competitive in today’s economy. Ask the QSA firm you are looking at for sample reports. There should be fully documented answers that provide descriptive, stand-alone responses. Inquire about the skill sets of the QSAs that will be conducting the work; ensure that they have experience with your industry. Consider the talent of the QSA firm; remember that your business reputation is potentially at stake. With the amount and severity of breaches today, it is up to customers to ensure that they use a quality QSA to assess their environment. Unfortunately, many organizations just want to “pass”; and if they do, they think they are good for the year. That’s short-sighted. PCI compliance is a state-in-time assessment, but an organization must maintain compliance at all times. Good QSAs will establish ongoing relationships and offer assistance in maintaining compliance over time. We, as QSAs, are now being audited, and the PCI SSC QA team will be reviewing all of the QSA firms out there. This is a step in the right direction to ensure consistency among QSA firms and their associated deliverables. This is beneficial for the customer too, as the quality of work is improving and the customer can start comparing apples to apples.
[post_title] => PCI and Assessment Consistency
[post_excerpt] =>
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => pci-and-assessment-consistency
[to_ping] =>
[pinged] =>
[post_modified] => 2021-04-13 00:06:10
[post_modified_gmt] => 2021-04-13 00:06:10
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://netspiblogdev.wpengine.com/?p=1321
[menu_order] => 914
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
)
[post_count] => 5
[current_post] => -1
[before_loop] => 1
[in_the_loop] =>
[post] => WP_Post Object
(
[ID] => 1276
[post_author] => 13
[post_date] => 2010-05-20 07:00:49
[post_date_gmt] => 2010-05-20 07:00:49
[post_content] =>
As an information security professional, my experience within the payment card security industry has taught me that credit card fraud is not just an information security or information technology issue, but increasingly also a financial one. In order to process payment cards, organizations must execute agreements with financial institutions ("acquirers") that legally obligate them to put in place appropriate controls to protect the underlying data. In most organizations, it is the finance and accounting teams that are most familiar with the business processes involved with the acceptance, chargeback and settlement of credit card payment data. Therefore, it is very important that the CFO and finance teams be involved in any effort to construct a sound credit card security program or approach. Such a program should seek to both minimize the risk and the cost of compliance.?The payments community has learned that stolen credit card data is a valuable commodity among criminals; just ask the folks at TJX or Heartland Payment Systems, where breaches resulted in the exposure of credit card data for millions of people.
PCI DSS
The compliance requirements (and the fines for noncompliance) are starting to be pushed down from the credit card companies to financial institutions or acquirers who are, in turn, pushing down to their customers ("merchants" and or "service providers"), contractually requiring organizations to become PCI-compliant. Organizations that have one acceptance channel for credit cards (e.g., a POS or via the web) and use third-party software should self-assess via the Self Assessment Questionnaire (SAQ). Financial professionals should use the published prioritized approach from the PCI Security Standards Council (SSC) to address specific risk areas within their organizations regarding credit card data. Those organizations that have multiple acceptance channels (storefront, Point of Sale and/or via the web) and that store credit card data should involve a Qualified Security Assessor (QSA) if assistance is needed.
Upcoming dates for the standard
There are two important PCI-related dates that are fast approaching, which finance people should be aware of. July 2010 marks the date after which all merchants must use certified payment applications. A payment application is any application that accepts, transmits or processes credit card data. An example of a payment application is a card swipe machine at a grocery store or a pay at the pump application at a gas station. September 2010 involves the PCI DSS itself, which will have updates to the standard released that month. These updates will take effect in January 2011.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Name
Domain
Purpose
Expiry
Type
YSC
youtube.com
YouTube session cookie.
52 years
HTTP
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Name
Domain
Purpose
Expiry
Type
VISITOR_INFO1_LIVE
youtube.com
YouTube cookie.
6 months
HTTP
Test
test.com
Testing
7 days
HTTP
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We do not use cookies of this type.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
We do not use cookies of this type.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
We do not use cookies of this type.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Cookie Settings
Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.
