PCI DSS

Fc152e73692bc3c934d248f639d9e963

Pre-Authorization Data – The Card Brands Weigh In

January 28, 2013 Added by:PCI Guru

Acquiring banks, for the most part, cannot answer basic questions about the PCI DSS, so we are supposed to believe that they are experts on retention of pre-authorization data based on a company’s vertical market and region? Talk about passing the buck...

Comments  (0)

48f758be63686a73484a7380e94f73d0

The Phoenix Project: A Review

January 16, 2013 Added by:Ed Bellis

Gene Kim was kind enough to provide me with an advanced review copy of The Phoenix Project who is a co-author of the book. Fair warning: the first half of this book brought back nails-on-a-chalkboard type memories of dealing with large-scale audits and everything that comes with it...

Comments  (0)

8a958994958cdf24f0dc051edfe29462

Common Sense Cybersecurity

January 13, 2013 Added by:Larry Karisny

We start with one big problem. Internet architecture was never made for security. One of my earliest articles quoted the father of the Internet Vint Cerf by saying, "One of things incumbent on all of us is to introduce strong authentication into the fabric of the smart grid. We did not do that with the Internet."

Comments  (0)

E85787adcaf7bca10e799cfd1cfd08f1

Compliance Combines with Vulnerability Scanning to Create Aegify

December 10, 2012 Added by:Michelle Drolet

Two security firms, the established Rapid7 vulnerability manager and eGestalt, a cloud-based compliance management provider, have signed an OEM deal that will do something for the IT security industry that hasn’t been done before: a combination security and compliance posture management...

Comments  (1)

145dfdfe39f987b240313956a81652d1

Pen Test vs. Vulnerability Scan: You know the difference, but do they?

November 28, 2012 Added by:Stacey Holleran

Small business owners often don't have someone who is versed in network security. So when they are told they need a “network penetration test” to comply with PCI DSS, many will contact the growing number of companies offering inexpensive testing services...

Comments  (5)

D03c28fd5a80c394905c980ee1ecdc88

E-mailing Passwords - Practice What You Preach

November 19, 2012 Added by:Bill Mathews

That’s right, I got an email with my username and password listed right there. That probably doesn’t anger normal people (let alone drive them to write an article about it), but I have never been accused of being normal so I’m pretty annoyed. Here, in no particular order, are my reasons for the anger and frustration...

Comments  (6)

Fc152e73692bc3c934d248f639d9e963

The Amazon Cloud And PCI Compliance

November 07, 2012 Added by:PCI Guru

The first part of the mythology revolves around what PCI compliant services Amazon Web Services (AWS) is actually providing. According to AWS’s Attestation Of Compliance, AWS is a Hosting Provider for Web and Hardware. The AOC calls out that the following services have been assessed PCI compliant...

Comments  (1)

F66c1a87a8db2cb584b4e06e93a84ce3

Online Banking: A Trust Opportunity to (Re)gain?

October 09, 2012 Added by:Mikko Jakonen

How come banks are telling people to maintain their security better, without putting their OWN reputation and capabilities in line with the DIRECT consequences of the change paradigm towards ‘webalized’ approach we have witnessed for years, has now resulted as poor operational security...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Third Party Service Providers and PCI Compliance

September 25, 2012 Added by:PCI Guru

If a third party is providing your organization a service that has access to your cardholder data environment (CDE) or the third party could come into contact you’re your cardholder data (CHD), then that third party must ensure that the service complies with all relevant PCI requirements...

Comments  (3)

37d5f81e2277051bc17116221040d51c

Banks Should Promote EMV

September 04, 2012 Added by:Robert Siciliano

“EMV transactions require an authentic card validated either online by the issuer using a dynamic cryptogram or offline with the terminal... EMV transactions also create unique transaction data, so that any captured data cannot be used to execute new transactions...”

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Pre-Authorization Data: The Definitive Answer

September 03, 2012 Added by:PCI Guru

Just to be clear, I have never argued that pre-authorization data was not to be secured with the same diligence as post-authorization data. I just could not find anything in the PCI DSS that explicitly called out the coverage of pre-authorization data.

Comments  (0)

Bd07d58f0d31d48d3764821d109bf165

Compliance is Not Always a Four-Letter Word

August 22, 2012 Added by:Tripwire Inc

This typical reaction I get in the US is many organizations see compliance as a “tax” and try to get away with doing the bare minimum. How do you and your organizations view compliance? Do you see it as a four-letter word, a nuisance, or as a step along the path to more effective security?

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

PA-DSS Validation Clarification

August 09, 2012 Added by:PCI Guru

The PA-DSS has a procedure that the PA-QSA can follow to determine that version changes have not affected cardholder data processing and the application’s PA-DSS validation. Without that validation, as a QSA, our hands are tied and we must conduct a full assessment of the application under the PCI DSS...

Comments  (0)

145dfdfe39f987b240313956a81652d1

Small Tech Firms Pursue Level 1 Service Provider PCI Compliance

July 01, 2012 Added by:Stacey Holleran

Small technology companies are finding themselves in a unique business situation as prospective clients increasingly request software applications and hosting solutions that can accommodate secure mobile payment transactions, bringing these technology companies to the forefront as “merchant service providers”...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Call Centers and PCI Compliance

June 28, 2012 Added by:PCI Guru

In a call center environment where operators are taking orders over the phone and accepting credit/debit cards for payment, until the card transaction is either approved or declined, we are talking pre-authorization data. Only cardholder data after authorization or decline is covered by the PCI DSS...

Comments  (2)

Fc152e73692bc3c934d248f639d9e963

More on PCI Scoping

June 22, 2012 Added by:PCI Guru

“At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope"...

Comments  (1)

Page « < 3 - 4 - 5 - 6 - 7 > »