May 26, 2011 Added by:PCI Guru
End-to-end encryption just moves the attack points, in this case out to the terminal at the merchant’s location. Worse yet, it also makes security of the merchant’s endpoint even more difficult than it already is because the techniques used in doctoring terminals can easily go unnoticed...
May 25, 2011 Added by:Headlines
“The survey shows that there is clearly room for improvement by the mobile operator community in addressing PCI DSS compliance, and it is critical that operators not yet compliant take appropriate measures to ensure the security of their customer’s sensitive cardholder data..."
May 20, 2011 Added by:Anton Chuvakin
All data is potentially under risk – but payment card data - and now ACH credentials - are easier to profit from if you are a criminal. Many companies use PCI DSS to learn about security and then expand their knowledge to protect other kinds of data, beyond the card numbers.,,
May 18, 2011 Added by:PCI Guru
The biggest change I have found thus far is the removal of the requirement to observe network traffic as the Network Monitoring column is gone. Prior to this point, QSAs were required to obtain network traffic via WireShark or similar tool to prove that network traffic is encrypted...
May 10, 2011 Added by:PCI Guru
Regardless of whether or not software is PA-DSS certified, the bottom line is that a QSA is going to be required to assess the application for compliance with the PCI DSS and will have more work effort if the software is not PA-DSS certified...
May 10, 2011 Added by:Anton Chuvakin
Most likely, Sony was validated as PCI DSS compliant at some point. Was there a QSA involved? I don’t know, but I’d guess they are comprised of multiple Level 2 (and below) merchants, not one Sony-wide Level 1. Thus they self-assessed via SAQ...
April 26, 2011 Added by:Anton Chuvakin
Perception of electronic and digital risks does not come naturally to people – and IT managers and directors are people too. So many organizations will severely underestimate computer risks and, sadly some would pay with their very existence for this mistake...
April 22, 2011 Added by:Anton Chuvakin
PCI DSS and other PCI standards were intended as a baseline set of security practices, not as a comprehensive, upper limit on security. For various reasons, it is hard for many organizations to understand that. What results is a false sense of security and a mistaken sense of betrayal...
April 05, 2011 Added by:PCI Guru
The ASV training program has blindsided the ASV community as it was a total surprise. Yes, there has been talk over the years at the Community Meetings and in other venues regarding ASV qualifications and training, but nothing ever seemed to come from those discussions...
March 24, 2011 Added by:PCI Guru
It still surprises me the number of IT professionals that seem to think that because they are implementing Windows or Linux as a virtual machine there is something different about security and you can skimp on hardening. Security hardening procedures need to be completely followed regardless...
March 22, 2011 Added by:Anton Chuvakin
For log exceptions copied from log aggregation tool or from the original log file, make sure that the entire log is copied, especially its time stamp, which is likely to be different from the time of this record, and the system from which it came from - what/when/where, etc...
March 17, 2011 Added by:Jon Stout
In a nutshell, the PCI DSS requires companies to build and maintain a secure network. The purpose of the PCI DSS is not only to reduce the amount of payment card fraud and identity theft, but also the costs of mitigating the institutional risks associated with those activities...
March 11, 2011 Added by:Anton Chuvakin
Periodic Operational Task Summary: The following contains a summary of operational tasks related to logging and log review. Some of the tasks are described in detail in the document above; others are auxiliary tasks needed for successful implementation of PCI DSS log review program...
March 09, 2011 Added by:Anton Chuvakin
Accidental exposure of cardholder data is a known risk. By identifying where the data truly resides first, through a tool or a methodology, should aid organizations in their assessment efforts and ongoing security...
March 08, 2011 Added by:PCI Guru
As a new technology matures its security posture matures. With a more mature security posture, the lower the likelihood that a security incident will occur. However, the time it takes for that security maturity to occur can take quite a while and that is where organizations are at the highest risk...
March 06, 2011 Added by:Aleksandr Yampolskiy
PCI DSS was created to enforce a set of minimum security standards. If your company accepts credit cards as a form of payment, then it must comply with the PCI standard. You want to use PCI compliance to tighten the security in your company, You don’t want a QSA to let you off easy...
Cyber-Criminals Quickly Adopt Critical Flas... Jerry Sommer on 10-25-2014
Cyber Security Careers: What You Need To Kno... Jerry Sommer on 10-25-2014
Q and A with Hacker "srblche srblchez"... chi nguyen on 10-25-2014