January 16, 2013 Added by:Ed Bellis
Gene Kim was kind enough to provide me with an advanced review copy of The Phoenix Project who is a co-author of the book. Fair warning: the first half of this book brought back nails-on-a-chalkboard type memories of dealing with large-scale audits and everything that comes with it...
January 13, 2013 Added by:Larry Karisny
We start with one big problem. Internet architecture was never made for security. One of my earliest articles quoted the father of the Internet Vint Cerf by saying, "One of things incumbent on all of us is to introduce strong authentication into the fabric of the smart grid. We did not do that with the Internet."
December 10, 2012 Added by:Michelle Drolet
Two security firms, the established Rapid7 vulnerability manager and eGestalt, a cloud-based compliance management provider, have signed an OEM deal that will do something for the IT security industry that hasn’t been done before: a combination security and compliance posture management...
November 28, 2012 Added by:Stacey Holleran
Small business owners often don't have someone who is versed in network security. So when they are told they need a “network penetration test” to comply with PCI DSS, many will contact the growing number of companies offering inexpensive testing services...
November 19, 2012 Added by:Bill Mathews
That’s right, I got an email with my username and password listed right there. That probably doesn’t anger normal people (let alone drive them to write an article about it), but I have never been accused of being normal so I’m pretty annoyed. Here, in no particular order, are my reasons for the anger and frustration...
November 07, 2012 Added by:PCI Guru
The first part of the mythology revolves around what PCI compliant services Amazon Web Services (AWS) is actually providing. According to AWS’s Attestation Of Compliance, AWS is a Hosting Provider for Web and Hardware. The AOC calls out that the following services have been assessed PCI compliant...
October 09, 2012 Added by:Mikko Jakonen
How come banks are telling people to maintain their security better, without putting their OWN reputation and capabilities in line with the DIRECT consequences of the change paradigm towards ‘webalized’ approach we have witnessed for years, has now resulted as poor operational security...
September 25, 2012 Added by:PCI Guru
If a third party is providing your organization a service that has access to your cardholder data environment (CDE) or the third party could come into contact you’re your cardholder data (CHD), then that third party must ensure that the service complies with all relevant PCI requirements...
September 04, 2012 Added by:Robert Siciliano
“EMV transactions require an authentic card validated either online by the issuer using a dynamic cryptogram or offline with the terminal... EMV transactions also create unique transaction data, so that any captured data cannot be used to execute new transactions...”
September 03, 2012 Added by:PCI Guru
Just to be clear, I have never argued that pre-authorization data was not to be secured with the same diligence as post-authorization data. I just could not find anything in the PCI DSS that explicitly called out the coverage of pre-authorization data.
August 22, 2012 Added by:Tripwire Inc
This typical reaction I get in the US is many organizations see compliance as a “tax” and try to get away with doing the bare minimum. How do you and your organizations view compliance? Do you see it as a four-letter word, a nuisance, or as a step along the path to more effective security?
August 09, 2012 Added by:PCI Guru
The PA-DSS has a procedure that the PA-QSA can follow to determine that version changes have not affected cardholder data processing and the application’s PA-DSS validation. Without that validation, as a QSA, our hands are tied and we must conduct a full assessment of the application under the PCI DSS...
July 01, 2012 Added by:Stacey Holleran
Small technology companies are finding themselves in a unique business situation as prospective clients increasingly request software applications and hosting solutions that can accommodate secure mobile payment transactions, bringing these technology companies to the forefront as “merchant service providers”...
June 28, 2012 Added by:PCI Guru
In a call center environment where operators are taking orders over the phone and accepting credit/debit cards for payment, until the card transaction is either approved or declined, we are talking pre-authorization data. Only cardholder data after authorization or decline is covered by the PCI DSS...
June 22, 2012 Added by:PCI Guru
“At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope"...
June 13, 2012 Added by:PCI Guru
The biggest problem with PCI DSS standards comes down to the fact that humans are averse to being measured or assessed. Why? It makes people responsible and accountable for what they do, and few people want that sort of accountability – we all much prefer wiggle room in how our jobs are assessed...
Making Sense of Split Tunneling ... Caring Match on 08-28-2014
Top 10 Jobs For Criminal Hackers... Philip Miller on 08-28-2014
Fake YouTube Site Targets Activists with Mal... Miscall Kulop on 08-27-2014