December 09, 2010 Added by:Anton Chuvakin
It is important to note that such a list has its roots in IT governance “best practices,” which prescribe monitoring access, authentication, authorization change management, system availability, and suspicious activity...
December 08, 2010 Added by:PCI Guru
The last year has tried to keep QSAs in the loop by issuing a monthly Assessor Update newsletter via email. These usually are not noteworthy, but the November 2010 issue contains a number of items that need to be shared just in case you miss your edition or you are not a QSA...
December 02, 2010 Added by:PCI Guru
Financial institutions argue like issuers that the PCI DSS is a merchant and service provider program. You will also hear them argue that the fact that they are state or federally regulated also puts them outside complying with the PCI DSS. All of this is a smoke screen...
December 01, 2010 Added by:Anton Chuvakin
Use of a PA-DSS compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide – this is useful for... ahem... reminding merchants about it...
November 24, 2010 Added by:PCI Guru
At the end of the day, the bottom line here is that all organizations are required to ensure that wireless networking is either not present on their network or, if present, it is only their wireless devices and that those wireless devices are appropriately implemented and secured...
November 19, 2010 Added by:PCI Guru
Unfortunately, the card brands have not helped the situation. The card brands approach to breaches boarders on childlike. In their view, it is everyone’s fault – the organization that was breached, the QSA, anyone except, of course, the card brands...
November 15, 2010 Added by:PCI Guru
The good news is that, for the most part, SSAE 16 and ISAE 3402 are essentially the same. There are a few differences that are important to financial auditors and lawyers, but should not have an impact on people relying on these reports for PCI compliance or other purposes...
November 10, 2010 Added by:Anthony M. Freed
With credit and debit card fraud as prevalent as it is, why would card brands push a product that is responsible for ten times more fraud than another? The answer is quite simple: The riskier the transaction, the higher the fees charged to the merchant - and ultimately to the consumer...
October 27, 2010 Added by:Anton Chuvakin
Regular testing and monitoring may be the most crucial but underrated and least appreciated aspects of security. If a merchant has to work at it throughout the year, as opposed to simply buy or check the box, compliance rates lag...
October 20, 2010 Added by:Anton Chuvakin
People who came to PCI DSS assessments and related services from doing pure information security often view PCI scope reduction as a cheap trick aimed at making PCI DSS compliance undeservedly easier. However, PCI DSS scope shrink is not just a cop out aimed at not protecting the data...
October 18, 2010 Added by:PCI Guru
I want to get the PCI SSC to repeal their inane Report On Compliance report writing standard. This standard has become onerous and, in the end, has become make do work. To understand this situation, you need a bit of history...
October 14, 2010 Added by:PCI Guru
You really need to document valid business reasons as to why a compensating control is needed. The fact that your organization does not have the backbone to implement PCI DSS requirements is not a valid reason. That just does not cut it...
October 09, 2010 Added by:PCI Guru
There appears to be this belief that once merchants get rid of cardholder data, life will be so much better and safer. But is that really what will happen? What does happen once merchants get rid of cardholder data? Do the clouds part? Is there sunshine forever?
October 05, 2010 Added by:Phil Agcaoili
We have a problem with new disruptive technology and we need to treat all endpoint systems as hostile. New consumer technology that's brought into the workplace (a trend known as consumerization of IT), the consumer use of free or low-cost cloud services for the connected online life, and the enterprise shift towards the cloud for vertical business applications are rapidly affecting the way worker...
September 28, 2010 Added by:PCI Guru
Card not present fraud is out of control. It is growing at 25% to 30% annually around the world, even in those places that have EMV. However, EMV could provide a solution to a tremendous reduction in card not present fraud if such an on-line security standard were developed....
September 21, 2010 Added by:PCI Guru
The bottom line is that there are risks with EMV and it is not the panacea that its proponents like to portray. It has known and unknown flaws just like any other piece of technology. So, let us all admit that fact and move forward...
Why Enterprises Are Struggling So Much with ... Eric Kronthal on 03-07-2014
Making Sense of Split Tunneling ... nat ravitz on 03-07-2014
Patching WordPress Username Disclosure... Neo on 03-07-2014