October 17, 2011 Added by:PCI Guru
It has been more than five years since the “sa” default password debacle and yet you still encounter applications that use service accounts to access their database and those service accounts have no password. The rationale? “We did not want to code the password into the application..."
October 12, 2011 Added by:Konrad Fellmann
Some organizations hoard data, but have no idea why. A business owner needs to figure out why the data needs to be kept, who will use the data, and how long it needs to be kept for business, legal or contractual reasons. Once defined, IT can implement proper controls to protect the data...
October 11, 2011 Added by:PCI Guru
If Visa were to work with the industry to produce a common API for EMV and contactless cards with PIN online, that would drive adoption of more secure cards in the US because there would be a business reason for adoption. Without such a driver, they are still a solution looking for a problem...
October 07, 2011 Added by:PCI Guru
Breaches occur because organizations get sloppy and, even with defense in depth in their security, there are too many controls where execution consistency has dropped leaving gaping holes in the various levels of security. However, once addressed, attackers will find other ways in...
October 04, 2011 Added by:Andrew Weidenhamer
As a QSA it is very frustrating to walk in, ask the merchant for the PA-DSS Implementation Guide, and receive a glazed over eye look. It's even more frustrating when you then ask the Vendor/Reseller for the Implementation Guide and they look at you as if you have three heads....
October 01, 2011 Added by:PCI Guru
QSAs are questioning the relevance of this clarification in outsourced and environments totally operated through bank-owned terminals and networks. TPCI SSC is clarifying these requirements is to ensure that QSAs are confirming that outsourced environments truly are out of scope...
September 22, 2011 Added by:PCI Guru
The QA process: it all comes down to having used the correct language in responding to the ROC, rather than whether or not you actually assessed the right things. To add insult to injury, the PCI SSC advises QSACs to develop a template for the ROC with all the correct language written and proofed...
September 13, 2011 Added by:PCI Guru
Visa’s beef with my post is the implied connotation by using the term ‘Chip and PIN’ that a PIN would be required. All I was trying to do was to provide an easily Google-able term for people interested in EMV. Such a complaint from Visa is laughable if it were not so sad...
September 08, 2011 Added by:PCI Guru
Sometimes you can negotiate with your processor or acquiring bank to get your multiple legal entities treated as a single entity and do one compliance filing. The key is that you need to negotiate this change before you start your PCI compliance efforts, not after the fact...
August 31, 2011 Added by:PCI Guru
A Qualified Security Assessor Company (QSAC) has finally had their status revoked by the PCI SSC. Based on the FAQ, it seems that CSO was not able to provide documentation that supported their conclusions regarding assessment opinions in their ROC's and ROV's they had issued...
August 25, 2011 Added by:PCI Guru
EMV and contactless technologies do not entirely solve the fraud problem. While they minimize fraud in the case of card present transactions, they do not even address fraud in card not present transactions. And it is in card not present transactions where fraud is most prevalent...
August 12, 2011 Added by:PCI Guru
Tokenization does not imply encryption. However, encryption may be used for tokenization as can one-way hashing. When encryption is used as a way to tokenize sensitive information, the system receiving the token never has the capability to decrypt the token...
August 02, 2011 Added by:PCI Guru
The PCI SSC has stated in this latest clarification that Category 1 and 2 applications and devices can continue through the certification process. These mobile applications have been explicitly called out even though they have been part of the certification process in the past...
July 25, 2011 Added by:PCI Guru
These sorts of actions by organizations just add fuel to the fire for critics to use as another argument as to why the PCI compliance programs are pointless and organizations should not bother with complying with any of the PCI standards...
July 12, 2011 Added by:PCI Guru
Since there are multiple ways to conduct a transaction, no single SAQ will cover all of these transaction methods. And since an organization is only supposed to fill out and submit one SAQ to their acquiring bank, the question becomes, which SAQ should the organization use?
June 30, 2011 Added by:PCI Guru
"Until such time that it has completed a comprehensive examination of the mobile communications device and payment application landscape, the Council will not approve mobile payment applications used by merchants to accept and process payment as validated PA-DSS applications..."
Mass Disclosure of Vulnerabilities in SAP... john niko on 12-09-2013
Join Trend Micro & SecurityWeek in Belle... Shah Alam on 12-06-2013
Looking Beyond "Black Box Testing"... Paul Reed on 12-03-2013