July 25, 2011 Added by:PCI Guru
These sorts of actions by organizations just add fuel to the fire for critics to use as another argument as to why the PCI compliance programs are pointless and organizations should not bother with complying with any of the PCI standards...
July 12, 2011 Added by:PCI Guru
Since there are multiple ways to conduct a transaction, no single SAQ will cover all of these transaction methods. And since an organization is only supposed to fill out and submit one SAQ to their acquiring bank, the question becomes, which SAQ should the organization use?
June 30, 2011 Added by:PCI Guru
"Until such time that it has completed a comprehensive examination of the mobile communications device and payment application landscape, the Council will not approve mobile payment applications used by merchants to accept and process payment as validated PA-DSS applications..."
June 25, 2011 Added by:PCI Guru
If I had to take the PCI SSC to task, I would argue that cloud computing does not have anything to do with virtualization. Yes, a lot of cloud computing solution providers are using virtualized systems to provide their services, but not every cloud provider uses virtualization...
June 23, 2011 Added by:Anton Chuvakin
The long-awaited PCI Council guidance on virtualization has been released. This guidance does not focus on cloud computing, but contains more than a few mentions, all of them pretty generic. Here are some of the highlights and my thoughts on them...
June 22, 2011 Added by:Robb Reck
We bring in these third party vendors because we trust that they have all the experience and knowledge with a given security product. But they are missing a critical piece: Experience with our systems. No technology solution is complete and ideal for every environment out of the box...
June 15, 2011 Added by:PCI Guru
When you start talking to security people about VoIP security, their knee-jerk response is to tell you that VoIP is secured by the corporate firewall. However, given that the VoIP protocols are stateless, even being behind a firewall really does not provide any protection...
May 30, 2011 Added by:Joe Schorr
To truly improve their security posture, companies should create (and enforce) a mandatory ID Badge policy for visitors and employees. An effective policy coupled with good security awareness training will go a long way to closing up this particular gap in PCI-DSS 2.0...
May 26, 2011 Added by:PCI Guru
End-to-end encryption just moves the attack points, in this case out to the terminal at the merchant’s location. Worse yet, it also makes security of the merchant’s endpoint even more difficult than it already is because the techniques used in doctoring terminals can easily go unnoticed...
May 25, 2011 Added by:Headlines
“The survey shows that there is clearly room for improvement by the mobile operator community in addressing PCI DSS compliance, and it is critical that operators not yet compliant take appropriate measures to ensure the security of their customer’s sensitive cardholder data..."
May 20, 2011 Added by:Anton Chuvakin
All data is potentially under risk – but payment card data - and now ACH credentials - are easier to profit from if you are a criminal. Many companies use PCI DSS to learn about security and then expand their knowledge to protect other kinds of data, beyond the card numbers.,,
May 18, 2011 Added by:PCI Guru
The biggest change I have found thus far is the removal of the requirement to observe network traffic as the Network Monitoring column is gone. Prior to this point, QSAs were required to obtain network traffic via WireShark or similar tool to prove that network traffic is encrypted...
May 10, 2011 Added by:PCI Guru
Regardless of whether or not software is PA-DSS certified, the bottom line is that a QSA is going to be required to assess the application for compliance with the PCI DSS and will have more work effort if the software is not PA-DSS certified...
May 10, 2011 Added by:Anton Chuvakin
Most likely, Sony was validated as PCI DSS compliant at some point. Was there a QSA involved? I don’t know, but I’d guess they are comprised of multiple Level 2 (and below) merchants, not one Sony-wide Level 1. Thus they self-assessed via SAQ...
April 26, 2011 Added by:Anton Chuvakin
Perception of electronic and digital risks does not come naturally to people – and IT managers and directors are people too. So many organizations will severely underestimate computer risks and, sadly some would pay with their very existence for this mistake...
April 22, 2011 Added by:Anton Chuvakin
PCI DSS and other PCI standards were intended as a baseline set of security practices, not as a comprehensive, upper limit on security. For various reasons, it is hard for many organizations to understand that. What results is a false sense of security and a mistaken sense of betrayal...
Verizon Injecting Perma-Cookies to Track Mo... kim cung on 12-21-2014
Android Phones in China Hit by Most Costly M... kim cung on 12-21-2014
Ask The Experts: Why Do Security Testing of ... kim cung on 12-20-2014