December 16, 2010 Added by:PCI Guru
Changes that fall into these two categories do not require that the PA-QSA conduct a re-assessment of the application and file a new Report On Validation. The application continues to hold its existing PA-DSS certification. However, the PA-QSA is required to prepare and file a Minor Update...
December 13, 2010 Added by:Anton Chuvakin
Many pieces of network infrastructure such as routers and switches are designed to log to an external server and only preserve a minimum (or none) of logs on the device itself. Thus, for those systems, centralizing logs is most critical...
December 13, 2010 Added by:PCI Guru
Wal-Mart has a robust control environment. However, what this breach shows is that even with such an environment, a breach can still occur. That is not to say that Wal-Mart did not make mistakes and it is those mistakes that I want to point out so that we can all learn...
December 09, 2010 Added by:Anton Chuvakin
It is important to note that such a list has its roots in IT governance “best practices,” which prescribe monitoring access, authentication, authorization change management, system availability, and suspicious activity...
December 08, 2010 Added by:PCI Guru
The last year has tried to keep QSAs in the loop by issuing a monthly Assessor Update newsletter via email. These usually are not noteworthy, but the November 2010 issue contains a number of items that need to be shared just in case you miss your edition or you are not a QSA...
December 02, 2010 Added by:PCI Guru
Financial institutions argue like issuers that the PCI DSS is a merchant and service provider program. You will also hear them argue that the fact that they are state or federally regulated also puts them outside complying with the PCI DSS. All of this is a smoke screen...
December 01, 2010 Added by:Anton Chuvakin
Use of a PA-DSS compliant application by itself does not make an entity PCI DSS compliant, since that application must be implemented into a PCI DSS compliant environment and according to the PA-DSS Implementation Guide – this is useful for... ahem... reminding merchants about it...
November 24, 2010 Added by:PCI Guru
At the end of the day, the bottom line here is that all organizations are required to ensure that wireless networking is either not present on their network or, if present, it is only their wireless devices and that those wireless devices are appropriately implemented and secured...
November 19, 2010 Added by:PCI Guru
Unfortunately, the card brands have not helped the situation. The card brands approach to breaches boarders on childlike. In their view, it is everyone’s fault – the organization that was breached, the QSA, anyone except, of course, the card brands...
November 15, 2010 Added by:PCI Guru
The good news is that, for the most part, SSAE 16 and ISAE 3402 are essentially the same. There are a few differences that are important to financial auditors and lawyers, but should not have an impact on people relying on these reports for PCI compliance or other purposes...
November 10, 2010 Added by:Anthony M. Freed
With credit and debit card fraud as prevalent as it is, why would card brands push a product that is responsible for ten times more fraud than another? The answer is quite simple: The riskier the transaction, the higher the fees charged to the merchant - and ultimately to the consumer...
October 27, 2010 Added by:Anton Chuvakin
Regular testing and monitoring may be the most crucial but underrated and least appreciated aspects of security. If a merchant has to work at it throughout the year, as opposed to simply buy or check the box, compliance rates lag...
October 20, 2010 Added by:Anton Chuvakin
People who came to PCI DSS assessments and related services from doing pure information security often view PCI scope reduction as a cheap trick aimed at making PCI DSS compliance undeservedly easier. However, PCI DSS scope shrink is not just a cop out aimed at not protecting the data...
October 18, 2010 Added by:PCI Guru
I want to get the PCI SSC to repeal their inane Report On Compliance report writing standard. This standard has become onerous and, in the end, has become make do work. To understand this situation, you need a bit of history...
October 14, 2010 Added by:PCI Guru
You really need to document valid business reasons as to why a compensating control is needed. The fact that your organization does not have the backbone to implement PCI DSS requirements is not a valid reason. That just does not cut it...
October 09, 2010 Added by:PCI Guru
There appears to be this belief that once merchants get rid of cardholder data, life will be so much better and safer. But is that really what will happen? What does happen once merchants get rid of cardholder data? Do the clouds part? Is there sunshine forever?
Interoperability: A Much Needed Cloud Comput... ryan mccarthy on 04-18-2014
Is User Experience Part of Your Security Pla... Allan Pratt, MBA on 04-17-2014
Interoperability: A Much Needed Cloud Comput... ryan mccarthy on 04-17-2014