Posted on by Steve Levinson

I’ve had dozens of discussions with our clients over the past decade to help them determine if they are doing a reasonable job in evaluating risk in their PCI environment (note – you can replace “PCI” with “any data/critical assets that you care about”). Over the course of participating in hundreds of PCI assessments, we have noticed that many companies’ risk assessment processes have been maturing nicely. Many moons ago, it was rather common for clients to ask, tongue in …

Continue reading →

Leave a comment


Posted on by Steve Levinson

In the Internet we Trust. At least we used to. Given today’s announcement that the “Heartbleed” bug exposes vulnerabilities in the mechanisms that we’ve relied upon for protecting sensitive information on the web (think passwords, credit card numbers, ANYTHING that is entered on a website), it is cause for immediate concern. In layman’s terms, this vulnerability allows for an attacker to parse (capture) the memory of the web servers running particular versions of OpenSSL, a cryptographic software library, potentially exposing …

Continue reading →

5 Comments


Posted on by Steve Levinson

As most folks know, Microsoft’s flagship operating system, Windows XP, is going end-of-life as of April 8. Given the fact that about one out of every three computers runs this OS, there may be some strong ramifications for those who opt for the “do nothing” alternative. If you are running this operating system, you may not be vulnerable the day that it goes end-of-life, but as soon as there is a known vulnerability and if you HAVEN’T done anything to …

Continue reading →

Leave a comment


Posted on by Steve Levinson

As most of the world is aware by now, the recent credit card breach at Target (between November 27 and December 15) netted the attackers 40 million credit and debit cards, as well as personal information, such as phone numbers and addresses, of as many as 70 million more. For a few very long weeks, there was scant information about the attack vector and the malware involved with the attack. This posting is a follow-up to my recent posting where …

Continue reading →

Leave a comment


Posted on by Steve Levinson

As most of the world is aware by now, the recent credit card breach at Target netted the attackers over 40 million credit cards between November 27 and December 15. This is the largest reported breach of a merchant since the TJX breach in 2006. Thus far, Target and the forensic community have been pretty tight-lipped about this breach. We’ve reached out to dozens of our peers to try to cobble together how the breach occurred, but at this point, …

Continue reading →

1 Comment


Posted on by Steve Levinson

Visa has always been on the forefront of the payment card industry, often being the first out of the gate to provide sage wisdom to the payment community at large. Some of my favorite people at Visa, Tia Ilori and Ingrid Beierly, have put together a great presentation to address the most recent security trends and breaches. The presentation will soon be posted at www.visa.com/cisp. We are all aware of some of the grocery store breaches from this year which were …

Continue reading →

Leave a comment


Posted on by Steve Levinson

Anyone who has had the pleasure (or displeasure, depending on your perspective) of dealing with PCI (Payment Card Industry) compliancy is most likely aware that the next version of the PCI Data Security Standard (DSS) will be released in November. The PCI Council has begun the “socialization” process by issuing a press release that describes the upcoming changes at a high level. We will continue to keep you abreast of these changes as the details pertaining to the new version of the …

Continue reading →

Leave a comment


Posted on by Steve Levinson

The hacking community continues to go after the small and midsized merchants who often lack the security maturity to adequately protect their systems and data – which makes them easier targets. In the wake of the recent breach at Schnuck’s, a 100-store grocery store chain in the Midwest, where the hacker’s purportedly walked away with a couple million credit cards, Visa released a security alert to provide guidance to grocers to help fight off these attacks: http://usa.visa.com/download/merchants/alert-prevent-grocer-malware-attacks-04112013.pdf. First, the bulletin …

Continue reading →

Leave a comment