controlgap.com

It's hard to imagine a natural disaster until it starts happening in your own backyard. Unfortunately, the people of Texas have experienced and continue to experience the unimaginable over the course of the last several days. The scale and magnitude of flooding, damage, and tragedy from Hurricane Harvey is still ongoing - many people have lost their lives, and many more have lost their homes and possessions. Canadians can recall our own flooding disasters in Toronto, Calgary, and Canmore in 2013, as well as the repeated flooding of Winnipeg over the years. As devastating as these were, they were but a tiny fraction of what Houston is now enduring.

Whether you embrace or eschew the label of Road Warrior, if you've traveled extensively for business then you have experienced the trials and tribulations of that lifestyle. Your limits have been tested and your plans ruined. In the end you can get angry or get over it. Last week, one of our own had just such a day. The account below represents one persons determined attempt not to let it get to him. It is based on a true story, albeit viewed through the coloured lenses of frustration and joviality a really twisted sense of humour. The names have been changed to protect the guilty and to also avoid any GDPR entanglements.

Now is the time to stop using 64-bit block length ciphers such as 3DES (TDEA) and Blowfish in general purpose applications of cryptography. In 2016, an attack was...

Compliance simplification, what most people call “scope reduction”, can have huge benefits in terms of saving time, effort, headaches, and money. Merchants desire ways to simplify their PCI compliance as do the card brands, acquirers, and processors. When the PCI Council announced P2PE in 2011, there was an immediate and huge demand for approved P2PE solutions. It wasn’t that merchants wanted P2PE, rather they wanted the massive compliance simplification and risk reduction that P2PE promised to provide. QSAs and ISAs hoped for clear assessment requirements to make their merchant PCI DSS assessments simpler and less ambiguous. Late in 2016, the PCI Council announced NESA (Non-listed Encryption Assessments) and there was again an immediate and huge demand for this. The problem is that the demand is based on perception not understanding.

Barely a year after NIST approved Format-Preserving Encryption (FPE) based on AES they've issued a news release that one of the approved modes has been broken. Since FPE is actively deployed within the payment industry this will have implications for payment security and users of this technology. But how bad is the problem? And if you happen to be affected, what can you do?

In recent news, WikiLeaks exposed a huge trove of CIA documents.  Journalists and bloggers will of course have a field day with this and the general public will be spectators to another ongoing drama. From our perspective, thankfully, it sounds like WikiLeaks intends to work with vendors to fix vulnerabilities which will hopefully spare everyone from a shooting gallery of zero-day exploitation.

Anyone who relies on the PCI FAQ site for guidance may have noticed some changes in the last few months. In fact if you bookmarked some of the links you’ll have discovered that several went completely missing. The council periodically revises and clarifies the content of FAQs; however, this time they altered several of the questions which changed the permalinks. The main thrust of the change was to move away from the misleading term “Scope reduction”. You can still search on the “article number” to find your favorite FAQ, or you may need to use the search page options for “Most Recently Updated” under featured FAQ articles.

Earlier this month the PCI Security Standards Council published a new document as part of the Point-to-Point Encryption (P2PE) program. This initial guidance Assessment Guidance for Non-Listed Encryption Solutions introduces a new path into the P2PE solution space. This new initiative introduces the idea of a standardized way of reporting the strengths and weaknesses of solutions that don't fully meet P2PE requirements. The council is expected to provide more information over the next 3-4 months including a standardized report template that will be called a Non-Listed Encryption Solution Assessment or NESA.

Recently, Control Gap posted an article performing a detailed analysis of the recent changes in the DSS due to 3.2. We do this because the high-level change summaries...

The PCI Council has testified before Congress about standards and breaches in both 2014 and 2009 (links are to Google Searches). This year PCI is getting a little extra scrutiny.