controlgap.com

Welcome to This Week’s [in]Security. PCI and payments: Remote Assessment, PA-DSS/SSF transition. CPE Maintenance, P2PE v3.1, PIN Program, Technical FAQ, DSS FAQ, Neiman Marcus card breach, ApplePay/Visa Express Travel vulnerability. New breaches: Meet the Pandora Papers (Remember the Panama Papers?) , Linkedin Scrape (126M), Barclays, Portpass & Sask QR vaccine apps, GrupoGSS. Mult-party breach impact, New Ransomware: Human-operated ransomware. Follow-ups & Fall-out: Fatal ransomware, Clubhouse, Facebook data collection (3.8B), Dallas Police, Epik. Privacy: android location tracking, pandemic privacy. Laws & Regs: Canada: vaccine passports. US: 4th amendment. World: Russia. Standards: NIST updates, drafts, papers, news. Defense: Webinars, Webinars. CISA. Tools, email, DMARC, TLS 1.3, Tokenization vs. Encryption, Tracking crypto, scambaiting. Vulnerabilities, Zerodays: Other Vulnerabilities: 5G apps, after patching, OWASP 2021, AirTags, Azure, MS MFA, Elastic Stack API, Autodiscover, vCenter. University Wi-Fi, Bitcoin ATMs, Cybercrime: Trends: OTP bots, Fake Pegasus defense, GriftHorse SMS fraud, FinSpy, FoggyWeb. Nation States. Crime: Other Risks: Domain Names, Outsourced, Misinformation, Lying AI, Bulletproof TLS, Health, Safety & Environment. Covid-19: Spread, Curves, Waves, and Variants; Response; Treatments; Immunity; Impact; Covid Ugly; And more.

Welcome to This Week’s [in]Security. PCI: SLC v1.1, Sunsetting P2PE v2 and PA-DSS. MasterCard resources. Control Gap SSA & SSLC. Magecart mobile, Carders. New breaches: Japanese Dating & government, Canada Post, Nukes, Dominos India, Hospitals, Compound redaction leak, New Ransomware: RCMP, Defensive shutdown. Privacy: Facial Recognition, Hiding controls. Laws & Regs - Canada: C-10 impact. US: Breach law. The world: Mass Surveillance, Data residency. Standards: NIST: Cloud, IoT/MuD. USB-C upgrade. Defense: Webinars, Webinars. Pipeline response, Cyber budgets, Unknown-unknowns, FBI supporting HIBP.

Welcome to This Week’s [in]Security. This week: Big updates from the PCI Community meeting including DSS 4.0, P2PE 3.0, and Software Security. Lots of breaches. 8 cities via Click2Gov, Magecart revival and hotel booking sites. Equador (yes the country). Facebook suspends thousands of apps. FBI National Security letters and back-doors. New Mitre CWE top 25. Faster Wi-fi. Elections. AI fighting card fraud. Microsoft breaks defender. More bad Android apps. Fitbit catches up murder. Sentencing and sanctions. Russian's read FBI encrypted comms. Gene manipulation gone wrong. Crown Sterling demo flops. The climate , carbon footprints, and nukes. And more.

Compliance simplification, what most people call “scope reduction”, can have huge benefits in terms of saving time, effort, headaches, and money. Merchants desire ways to simplify their PCI compliance as do the card brands, acquirers, and processors. When the PCI Council announced P2PE in 2011, there was an immediate and huge demand for approved P2PE solutions. It wasn’t that merchants wanted P2PE, rather they wanted the massive compliance simplification and risk reduction that P2PE promised to provide. QSAs and ISAs hoped for clear assessment requirements to make their merchant PCI DSS assessments simpler and less ambiguous. Late in 2016, the PCI Council announced NESA (Non-listed Encryption Assessments) and there was again an immediate and huge demand for this. The problem is that the demand is based on perception not understanding.

Earlier this month the PCI Security Standards Council published a new document as part of the Point-to-Point Encryption (P2PE) program. This initial guidance Assessment Guidance for Non-Listed Encryption Solutions introduces a new path into the P2PE solution space. This new initiative introduces the idea of a standardized way of reporting the strengths and weaknesses of solutions that don't fully meet P2PE requirements. The council is expected to provide more information over the next 3-4 months including a standardized report template that will be called a Non-Listed Encryption Solution Assessment or NESA.