PCI DSS

Ebb72d4bfba370aecb29bc7519c9dac2

PCI DSS in the Cloud... From the PCI Council

June 23, 2011 Added by:Anton Chuvakin

The long-awaited PCI Council guidance on virtualization has been released. This guidance does not focus on cloud computing, but contains more than a few mentions, all of them pretty generic. Here are some of the highlights and my thoughts on them...

Comments  (1)

C787d4daae33f0e155e00c614f07b0ee

Thoughts on Trustwave's 2011 Global Security Report

June 22, 2011 Added by:Robb Reck

We bring in these third party vendors because we trust that they have all the experience and knowledge with a given security product. But they are missing a critical piece: Experience with our systems. No technology solution is complete and ideal for every environment out of the box...

Comments  (2)

Fc152e73692bc3c934d248f639d9e963

VoIP and PCI Compliance

June 15, 2011 Added by:PCI Guru

When you start talking to security people about VoIP security, their knee-jerk response is to tell you that VoIP is secured by the corporate firewall. However, given that the VoIP protocols are stateless, even being behind a firewall really does not provide any protection...

Comments  (1)

5d3b9af5a870b9a89f8fa51fb390d488

Onsite Personnel "Don't Need No Stinkin' Badges" for PCI

May 30, 2011 Added by:Joe Schorr

To truly improve their security posture, companies should create (and enforce) a mandatory ID Badge policy for visitors and employees. An effective policy coupled with good security awareness training will go a long way to closing up this particular gap in PCI-DSS 2.0...

Comments  (2)

Fc152e73692bc3c934d248f639d9e963

E2E Encryption and Doctored Credit Card Terminals

May 26, 2011 Added by:PCI Guru

End-to-end encryption just moves the attack points, in this case out to the terminal at the merchant’s location. Worse yet, it also makes security of the merchant’s endpoint even more difficult than it already is because the techniques used in doctoring terminals can easily go unnoticed...

Comments  (0)

69dafe8b58066478aea48f3d0f384820

Mobile Network Operators Lack PCI DSS Compliance

May 25, 2011 Added by:Headlines

“The survey shows that there is clearly room for improvement by the mobile operator community in addressing PCI DSS compliance, and it is critical that operators not yet compliant take appropriate measures to ensure the security of their customer’s sensitive cardholder data..."

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

PCI DSS eCommerce Questions Answered

May 20, 2011 Added by:Anton Chuvakin

All data is potentially under risk – but payment card data - and now ACH credentials - are easier to profit from if you are a criminal. Many companies use PCI DSS to learn about security and then expand their knowledge to protect other kinds of data, beyond the card numbers.,,

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Draft PCI DSS v2.0 “Scorecard” Released

May 18, 2011 Added by:PCI Guru

The biggest change I have found thus far is the removal of the requirement to observe network traffic as the Network Monitoring column is gone. Prior to this point, QSAs were required to obtain network traffic via WireShark or similar tool to prove that network traffic is encrypted...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

PCI QSA Re-Certification – 2011 Edition

May 10, 2011 Added by:PCI Guru

Regardless of whether or not software is PA-DSS certified, the bottom line is that a QSA is going to be required to assess the application for compliance with the PCI DSS and will have more work effort if the software is not PA-DSS certified...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

On the Sony PSN Breach and Commenting

May 10, 2011 Added by:Anton Chuvakin

Most likely, Sony was validated as PCI DSS compliant at some point. Was there a QSA involved? I don’t know, but I’d guess they are comprised of multiple Level 2 (and below) merchants, not one Sony-wide Level 1. Thus they self-assessed via SAQ...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

PCI Security Compliance Q and A with Anton Chuvakin pt2

April 26, 2011 Added by:Anton Chuvakin

Perception of electronic and digital risks does not come naturally to people – and IT managers and directors are people too. So many organizations will severely underestimate computer risks and, sadly some would pay with their very existence for this mistake...

Comments  (1)

Ebb72d4bfba370aecb29bc7519c9dac2

PCI Security Compliance: Q and A with Anton Chuvakin

April 22, 2011 Added by:Anton Chuvakin

PCI DSS and other PCI standards were intended as a baseline set of security practices, not as a comprehensive, upper limit on security. For various reasons, it is hard for many organizations to understand that. What results is a false sense of security and a mistaken sense of betrayal...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

PCI SSC Updates the ASV Training Program

April 05, 2011 Added by:PCI Guru

The ASV training program has blindsided the ASV community as it was a total surprise. Yes, there has been talk over the years at the Community Meetings and in other venues regarding ASV qualifications and training, but nothing ever seemed to come from those discussions...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

PCI Compliance and Virtualization

March 24, 2011 Added by:PCI Guru

It still surprises me the number of IT professionals that seem to think that because they are implementing Windows or Linux as a virtual machine there is something different about security and you can skimp on hardening. Security hardening procedures need to be completely followed regardless...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 18 FINAL

March 22, 2011 Added by:Anton Chuvakin

For log exceptions copied from log aggregation tool or from the original log file, make sure that the entire log is copied, especially its time stamp, which is likely to be different from the time of this record, and the system from which it came from - what/when/where, etc...

Comments  (0)

98180f2c2934cab169b73cb01b6d7587

Payment Card Industry Data Security Standards Overview

March 17, 2011 Added by:Jon Stout

In a nutshell, the PCI DSS requires companies to build and maintain a secure network. The purpose of the PCI DSS is not only to reduce the amount of payment card fraud and identity theft, but also the costs of mitigating the institutional risks associated with those activities...

Comments  (0)

Page « < 8 - 9 - 10 - 11 - 12 > »