PCI DSS

Fc152e73692bc3c934d248f639d9e963

The PA-DSS Certification Clarification

December 16, 2010 Added by:PCI Guru

Changes that fall into these two categories do not require that the PA-QSA conduct a re-assessment of the application and file a new Report On Validation. The application continues to hold its existing PA-DSS certification. However, the PA-QSA is required to prepare and file a Minor Update...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 3

December 13, 2010 Added by:Anton Chuvakin

Many pieces of network infrastructure such as routers and switches are designed to log to an external server and only preserve a minimum (or none) of logs on the device itself. Thus, for those systems, centralizing logs is most critical...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

The Anatomy of a Breach

December 13, 2010 Added by:PCI Guru

Wal-Mart has a robust control environment. However, what this breach shows is that even with such an environment, a breach can still occur. That is not to say that Wal-Mart did not make mistakes and it is those mistakes that I want to point out so that we can all learn...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 2

December 09, 2010 Added by:Anton Chuvakin

It is important to note that such a list has its roots in IT governance “best practices,” which prescribe monitoring access, authentication, authorization change management, system availability, and suspicious activity...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Interesting Announcements From The PCI SSC

December 08, 2010 Added by:PCI Guru

The last year has tried to keep QSAs in the loop by issuing a monthly Assessor Update newsletter via email. These usually are not noteworthy, but the November 2010 issue contains a number of items that need to be shared just in case you miss your edition or you are not a QSA...

Comments  (1)

Fc152e73692bc3c934d248f639d9e963

PCI DSS for Issuers and Financial Institutions

December 02, 2010 Added by:PCI Guru

Financial institutions argue like issuers that the PCI DSS is a merchant and service provider program. You will also hear them argue that the fact that they are state or federally regulated also puts them outside complying with the PCI DSS. All of this is a smoke screen...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

Random Highlights From PCI DSS 2.0

December 01, 2010 Added by:Anton Chuvakin

Use of a PA-DSS compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide – this is useful for... ahem... reminding merchants about it...

Comments  (1)

Fc152e73692bc3c934d248f639d9e963

Requirements That Are Never Not Applicable

November 24, 2010 Added by:PCI Guru

At the end of the day, the bottom line here is that all organizations are required to ensure that wireless networking is either not present on their network or, if present, it is only their wireless devices and that those wireless devices are appropriately implemented and secured...

Comments  (4)

Fc152e73692bc3c934d248f639d9e963

Who Is Responsible In A Breach?

November 19, 2010 Added by:PCI Guru

Unfortunately, the card brands have not helped the situation. The card brands approach to breaches boarders on childlike. In their view, it is everyone’s fault – the organization that was breached, the QSA, anyone except, of course, the card brands...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

SAS 70 Is Dead!

November 15, 2010 Added by:PCI Guru

The good news is that, for the most part, SSAE 16 and ISAE 3402 are essentially the same. There are a few differences that are important to financial auditors and lawyers, but should not have an impact on people relying on these reports for PCI compliance or other purposes...

Comments  (3)

6d117b57d55f63febe392e40a478011f

Payment Card Industry Pursues Profits Over Security

November 10, 2010 Added by:Anthony M. Freed

With credit and debit card fraud as prevalent as it is, why would card brands push a product that is responsible for ten times more fraud than another? The answer is quite simple: The riskier the transaction, the higher the fees charged to the merchant - and ultimately to the consumer...

Comments  (5)

Ebb72d4bfba370aecb29bc7519c9dac2

Analysis of the Verizon PCI Report

October 27, 2010 Added by:Anton Chuvakin

Regular testing and monitoring may be the most crucial but underrated and least appreciated aspects of security. If a merchant has to work at it throughout the year, as opposed to simply buy or check the box, compliance rates lag...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

On Scope Shrinkage in PCI DSS

October 20, 2010 Added by:Anton Chuvakin

People who came to PCI DSS assessments and related services from doing pure information security often view PCI scope reduction as a cheap trick aimed at making PCI DSS compliance undeservedly easier. However, PCI DSS scope shrink is not just a cop out aimed at not protecting the data...

Comments  (8)

Fc152e73692bc3c934d248f639d9e963

The 2010 PCI Community Meeting

October 18, 2010 Added by:PCI Guru

I want to get the PCI SSC to repeal their inane Report On Compliance report writing standard. This standard has become onerous and, in the end, has become make do work. To understand this situation, you need a bit of history...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Writing A Compensating Control

October 14, 2010 Added by:PCI Guru

You really need to document valid business reasons as to why a compensating control is needed. The fact that your organization does not have the backbone to implement PCI DSS requirements is not a valid reason. That just does not cut it...

Comments  (8)

Fc152e73692bc3c934d248f639d9e963

When Merchants Get Rid Of Cardholder Data

October 09, 2010 Added by:PCI Guru

There appears to be this belief that once merchants get rid of cardholder data, life will be so much better and safer. But is that really what will happen? What does happen once merchants get rid of cardholder data? Do the clouds part? Is there sunshine forever?

Comments  (1)

Page « < 8 - 9 - 10 - 11 - 12 > »