UPDATE: A decent round o
f commentary going on about this on the PCI Answers blog. I’ve added my two cents within the comments. You can read through the discussion here.
I have been lurking in a lot of the usual places lately listening and reading to all the commentary about payment security thanks to the Heartland Payment Systems incident. I’m not going to comment on the incident here, there’s already plenty of people offering up their opinions.
What do I want to mention about all this chatter? You are having the wrong debate! So many people in security are talking about what this means for PCI. Is PCI effective? Was their an issue with the assessment? To this I say “it doesn’t matter”. None of this is the root cause.
Jeremiah Grossman has a really good post on aligning incentives here. This is getting much closer to the real issues in payment security. Want to know more? Well this is where my shameless and disgusting self promotion comes in. 
I have had the privilege of participating in writing a new book for O’Reilly, Beautiful Security. For those of you not familiar with the series, this is a follow-up to Beautiful Code and Beautiful Architecture. It’s a compilation where each author contributes a single chapter on a security topic, mine being securing ecommerce transactions. Below is the product description as found on Amazon:
“Product Description
In this thought-provoking anthology, today’s security experts describe bold and extraordinary methods used to secure computer systems in the face of ever-increasing threats. Beautiful Security features a collection of essays and insightful analyses by leaders such as Ben Edelman, Grant Geyer, John McManus, and a dozen others who have found unusual solutions for writing secure code, designing secure applications, addressing modern challenges such as wireless security and Internet vulnerabilities, and much more.
Among the book’s wide-ranging topics, you’ll learn how new and more aggressive security measures work — and where they will lead us. Topics include:
- Rewiring the expectations and assumptions of organizations regarding security
- Security as a design requirement
- Evolution and new projects in Web of Trust
- Legal sanctions to enforce security precautions
- An encryption/hash system for protecting user data
- The criminal economy for stolen information
- Detecting attacks through context
Go beyond the headlines, hype, and hearsay. With Beautiful Security, you’ll delve into the techniques, technology, ethics, and laws at the center of the biggest revolution in the history of network security. It’s a useful and far-reaching discussion you can’t afford to miss.”
Special thanks to Mark Curphey and John Viega for involving me in this project. Lots of other authors much smarter than I such as Anton Chuvakin, Mudge, and others. All author proceeds are being donated to charity (IETF), another fantastic reason to pickup a copy!
Let’s stop arguing about how to build a better band-aid. It’s time to start talking more about addressing the root cause issues, and spend less time on the religious churn and debate around specific compliance requirements.
Do you have a release date for the book ?
Hi David,
As of right now, it looks to be about mid-April. You can sign up for notification on amazon.com.
Too much focus on prevention and not enough on detection and response. As you and I discussed briefly on Twitter this fall – we should make it so that there is no value at all in obtaining the CC#. Taking away the value of the “shared secret” doesn’t mean ineffective security as long as there is stronger detection and responsive measures (cardholder pictures on the card, one time PINs, stronger penalties for retail employees who don’t authenticate the person presenting the card with the name on the card, etc…).
We have the technology, we can rebuild it!