My Oh My, PCI!

In my work, I’m often engaged with merchants in different verticals, doing PCI assessments. This  frequently involves assisting them with their PCI Self-Assessment Questionnaires (SAQ). It’s an interesting process because the merchants run the gamut from Level 2 through 4, size-wise, in terms of annual number of transactions. Visa defines these merchants as less than or equal to six million transactions annually.

With the larger merchants or enterprises, say a University or Corporation, I’ll often find a well-organized PCI compliance group. They usually treat completing their SAQ like it’s a Report on Compliance (ROC), reserved for Level 1 merchants (6 million + transactions annually) and often appreciate the need (not a requirement) to have supporting evidence for each of the control questions in the 12 PCI Requirements. This supporting evidence includes network diagrams, cardholder environment diagrams, router and firewall Access Control Lists, system build checklists, change management checklists, various screenshots, access control, domain policy, policies and procedures, and many other items. all of these are items I’d request if I was doing an on-site audit.

The smaller merchants, on the other hand, have problems ranging from understanding what the PCI-DSS is and why they have to do a SAQ (because their Acquiring Bank says so) to, more importantly, truthfully answering the control questions. Because the SAQ process is a self-assessment, merchants who don’t understand what the Requirements mean, or are asking, are tempted to simply answer ‘Yes’ to the more-technical questions because they simply don’t know. I’ve found that the latter is often because they have outsourced IT staff and can’t afford the time and cost to engage them in answering the technical questions. Or, they are the IT staff, as well as the Business Owner, especially true for the very small merchants.

Compounding this lack-of-resources problem, in some cases, are the payment application vendors. They often provide their client, the merchant, with their Payment Application Data Security Standard (PA-DSS) Implementation Guide. This tells the merchant basically, ‘if you installed it correctly and did this and that the right way, this is how your application meets PCI requirements’. I usually ask merchants if they have their PA-DSS and while many do, many do not and need to call their vendor. Having the PA-DSS while completing a PCI SAQ is invaluable because it helps answer sections of Requirements 3, 4, 7 and 8 in particular. Remember though, you’ll only see a PA-DSS Implementation Guide with payment applications, not payment hardware like a swipe terminal.

So, a part of my time is engaged in bootstrapping the merchants who need it, by providing basic education on what the PCI Requirements are all about. I’m soft of a ‘tour-guide’ to the PCI-DSS and as a PCI-DSS Qualified Security Assessor (QSA), feel that this is appropriate. In a sense, I’m raising security awareness and hopefully, helping these merchants become not just compliant, but more secure. I work with them to help translate what the technical jargon means and why it matters.  During the Remediation phase, I offer suggestions as to how they can meet the control objectives and minimize their compliance burden.

For those merchants who complete their SAQs without assistance from consultants like myself, or in-house resources like a PCI Security Standards Council-trained Internal Security Assessor, I’ve found myself wondering how real their SAQs actually are, in terms of security truth versus wishful thinking and best-guesses. And, since their acquiring, or merchant banks are accepting these SAQs annually, I’m also interested in whether or not these banks follow-up with the merchants. Do any of the banks ever find themselves thinking ‘Seriously?’ when they review the SAQ?

While my job is focused on compliance, be it PCI, GLBA, or HIPAA/HITECH, my overarching goal is security.

And that’s what it’s all about, for all of us.

Be well.

Bill Wildprett

Keeping it Real

2012 has been a very busy year for me, so far. Last winter I took and passed the ISACA Certified Information Security Manager (CISM) exam and in February, got a plane ride to Orlando to attend PCI-DSS Qualified Security Assessor (QSA) training from the PCI Security Standards Council.

I’m currently reading Christopher Hadnagy’s excellent book on social engineering; even if you weren’t in our profession, this book would be a fine resource because we all use social engineering to influence others. I wholeheartedly recommend his book and website at www.social-engineer.org!

Currently, most of my time is spent working to help merchants with their PCI-DSS compliance. I once thought I knew something about the PCI-DSS, but it’s like the iceberg, a LOT is under the surface. I’ve come to rely upon the outstanding Navigating the PCI DSS v2.0 document from the PCI Security Standards Council. It explains what the intent of the requirements are, which helps when you’re trying to translate this to a non-technical audience.

Recently, I decided to challenge myself in a different direction by volunteering to be the Communications Director for the ISACA Puget Sound Chapter. Being a member of a Board of Directors is a good-thing, career-wise and it’s nice to be involved in helping one of the professional organizations I belong to.

That’s it for now gentle readers!

Be well, and Be Happy.


Change is good.  Sometimes it can be painful and it may take a while to get some perspective and realize you’ve grown.  It’s all part of the process and I’ve learned to embrace or at least accept it.

What’s new?  I did a stint as an incident response handler earlier this year, then moved into SOX compliance and finally fell into a wormhole and emerged as an IT Security Auditor.  Not a stretch per se, but my information security talents have been stretched, in a good way, growth-wise.

So now I’m immersed in GLBA/FFIEC compliance engagements and have eyes on PCI-DSS and NERC-CIP work.  I’m thinking about adding another certification, possibly a CISM.

I’ve recently seen some friends in our industry brutalized by bad management, and then upon abrupt exits, become reborn and renewed, with a new sense of purpose and drive infusing their love of infosec.  In the past, many people helped me when I was ‘dazed and confused‘; if you find yourself able, reach out to someone and ask them ‘what’s the good word?’  Shower them with positivity and possibility!

Always keep moving and remember, even when you go one step forward, two steps back, you’re still making progress…

image courtesy of Impact Lab

Peace y’all


2010 Rearview Mirror

January is a time of reflection and renewal, thinking about the past year and the present one.  We use this time to measure ourselves and set or renew goals, pointing our inner compass needles towards our own True North.

Looking back, 2010 was a successful year for me.  I didn’t get to do some things or attend all the conferences I wanted, but other items were handily accomplished and some good work got done!

Foremost, I partnered with IOActive, Consciere, and Insyndia to do consulting work.  This led to interesting security audit, risk assessment and vulnerability assessment work and I was fortunate to meet and work with some great people.  Shouts-out to Erin Jacobs, Glenn Kaleta, David Baker, Tab Pierce, and Joel Scambray in particular!

I also earned my CISA which gives me a stronger understanding of formally auditing information security environments.  Now, I’m thinking of how to use this new-found knowledge and where I’ll go next.

What will 2011 bring?  As I chart this year’s course, I intend to visit new shores, make new acquantances, and continue to grow as a person and infosec professional.  I welcome the journey and it’s challenges!

Be well friends…

by Bill Wildprett, Suspicious Minds blog, Copyright 2011

No, I’m not thinking about porn or any other nasty stuff, just reflecting that like during Fall when we clean our house gutters, it’s appropriate to think about how we think and remove clogs and other impediments.

For me, that means diversifying my security readings and practices and thinking about where I might have blinders on.  This was brought home recently from someone I respect, Pete Herzog the Founder of ISECOM and the OSSTMM.  I had asked Pete via email if any of the Smarter, Safer, Better seminars would be on the West Coast (none yet); he kindly responded with information about who I could contact who might sponsor them and also gave me a backhanded compliment about passing the CISA exam, saying ‘now we’ll have to teach you the right way’ in essence.

I wasn’t offended but my curiosity was piqued.  My mind had been wrapped around earning a CISA for continued competence and professional respect; was my thinking so constrained by my learnings?  So, I’m resolved to read the OSSTMM Version 3 and work to use it.  I’d read through (read, skimmed) Version 2.2 a while back but hadn’t immersed myself.  From other authors, now I understand it as possibly a paradigm shift in how to think about security assessments, at least for me.

Another mental dustbuster for me has come from reading The Black Swan by Nassim Nicholas Taleb.  I’m not finished with the book, a testament to how well-written and insightful it is.  I find myself lingering over it and re-reading sections prior to moving on.  This is partially because ‘NNT’, as he refers to himself, is one deep thinker!  This tome takes some time to absorb and digest.  Taleb discusses extreme outliers, huge events that are completely unforeseen and that subsequently shake our foundations, institutions and psyches.  9/11 is one such event.  The salient idea is not to focus on prediction of such events but to build sufficient robustness against negative Black Swan Events and to take advantage of positive ones.

My challenge and task is to apply this modality of critical thinking to the domains of information security, along with that of the OSSTMM.

Like more physical exercise will clean the arterial plaque from your personal system, it’s important to floss your brain or defrag your mind, however you want to put it and at least recognize that you might need to.

Peace friends!

by Bill Wildprett, Suspicious Minds blog, Copyright 2010


After waiting two months to the day following the Certified Information Systems Auditor exam (CISA), I just learned that I PASSED!

Now I need to submit my Application for Certification to ISACA and wait another two months (so they say) for it to be approved before I can use my new certification title.

Reviewing my test scores by subject area told me that I didn’t do as well in some areas and better in others.  So, more studying is in order…

Oh Happy Day!  🙂

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Image courtesy of Pentax Salon

The other night, while my wife and I were walking Daisy, we  had an ‘incident’ to respond to.  Not computer related, but the principles of incident response still apply.  Someone decided that abandoning three month-old kittens on the road down from our house was a good idea ~ ‘surely someone nice will give them homes!’

If we ignored their plight, the outcome would go three ways:

  1. Someone else might rescue them.  Although, since it was after 10:00 P.M. this was unlikely.
  2. They’d be hit by cars.
  3. Wile E. Coyote and his brethren would enjoy their company.

So,  we rescued them, sheltered them overnight and in the morning, off to the Humane Society (with a donation) they went since we just can’t accommodate three kittens with our golden retriever.

Reflecting on this episode, I thought about how I’d been taught about incident response by SANS Institute instructors.  The acronym I learned is PICERL; Preparation, Identification, Containment, Eradication, Recovery, Lessons-learned.

We were prepared because we had cardboard boxes to hold them and a crate at home for the night.  We identified the problem, contained the kittens and eradicated the threats that night (no, we didn’t kill any coyotes).  Recovery happened in the morning and Lessons-learned are ongoing (expect the unexpected and assume breach are two of them).

The takeaway on this is that strange things happen and we can use our training, even very IT security-specific, to manage the event.  Security is about doing the Right Thing, at the Right Time, for the Right Reasons ~ this incident was no exception and was definitely security-related, at least in the physical sense as far as the kittens were concerned.

by Bill Wildprett, Suspicious Minds blog, Copyright 2010