Skip to main content

The WiKID Blog

Viewing posts tagged pci


There is a great article on the current state of phishing on The article discusses phishing kits with backdoors (phishers phishing phishers), the market for identity information, the lack of sophistication of phishers and some recommendations:

We aren’t going to solve the problem of online PII (Personally Identifiable Information) and identify theft just by writing even more secure code (although it certainly helps), or by continuing to play whack-a-mole with phishers. The system of relying on static identifiers to commit financial transactions needs to be rethought.
Commercial financial institutions such as credit card companies and banks realize that the cost of implementing a new system that does not merely rely on static identifiers is higher than the fraud committed, so they decide to accept the cost. This is the reason why the system has not changed. Unfortunately, financial institutions only take into account their cost when making this decision, but it also ends up affecting the lives of millions of people who have to pay with their identities when such fraud is committed (this cost is also shared by other companies that want to have the capacity to process transactions. The PCI standard is a good example of this situation).
The expectation is that the band-aid approach will continue to be applied until the costs exceed the expense of two-factor authentication.


I've written another how-to for Howtoforge. This article describes how to combine WiKID and NoMachine's NX products to secure VNC. It should be noted that NoMachine offers a lot more functionality and speed than just tunneling VNC through SSH. It is incredibly fast and allows for remote X and RPD in addition to VNC. They have a version that is free for two concurrent connections.


In an interesting twist in the continuing PCI story, the Texas legislature may mandate PCI compliance:

According to the language of the bill, "A business that, in the regular course of business, collects, maintains, or stores sensitive personal information in connection with an access device must comply with payment card industry data security standards." The bill would allow a financial institution in the state to request a breached entity to provide certification of its compliance with PCI specified controls. HB 3222 would require the certification to be issued by a PCI-approved auditor no earlier than 90-days before the breach.
It sounds like retailers would have to be audited every 90 days! Is this bill the work of the financial institutions or the auditors?


Just a quick note to check our our howto on HTF: How To Secure Postgresql Using Two-Factor Authentication From WiKID . Since databases are the repository for critical information such as credit card numbers, we thought this would be a useful edition given PCI requirements, etc.


Computerworld has a summary commemorating the one-year anniversary of the TJX breach. I agree with the article. The PCI Standard is a work in progress; Bad guys are hard to catch; etc.

Recent Posts







RSS / Atom