Blog Posts Tagged with "PCI DSS"
November 17, 2011 Added by:Andrew Weidenhamer
The problem with using a risk based approach is the manner in which risk is defined and accepted. As long as there is a good Risk Assessment methodology in place and further good reasons and justifications to deal with risk, then using a risk based approach is perfectly acceptable...
November 14, 2011 Added by:Infosec Island Admin
This SC magazine free webcast was inspired by the spate of smaller companies being caught out recently by PCI loopholes then incurring massive reputational and financial damage as a result, plus another on what to do about security as iPads, Smartphones proliferate in the workplace...
November 07, 2011 Added by:Infosec Island Admin
There are so many learning resources out there in our profession, making it hard to know where to go for the really worthwhile insights on key issues like personal devices in the workplace, cloud security etc. Two upcoming online events in these areas that have really got people talking...
November 02, 2011 Added by:PCI Guru
This SIG is to be created to guide merchants and service providers in what should be the result of a proper risk assessment, not create another risk assessment methodology. While such an Information Supplement is an admirable ideal, you understand why this SIG is a losing proposition...
October 27, 2011 Added by:David Sopata
Organizations often start implementing security controls on all of their systems throughout the company without really knowing what systems should be in scope or which systems should not be in scope for PCI. Hence, the PCI DSS Prioritization Document and Tool was developed...
October 24, 2011 Added by:PCI Guru
The biggest problem with the insider threat is that it does not matter how much technology you have to protect your assets as it only takes one person in the right place to neutralize every last bit of your security solutions. Just ask anyone any of the recently breached organizations...
October 17, 2011 Added by:PCI Guru
It has been more than five years since the “sa” default password debacle and yet you still encounter applications that use service accounts to access their database and those service accounts have no password. The rationale? “We did not want to code the password into the application..."
October 12, 2011 Added by:Konrad Fellmann
Some organizations hoard data, but have no idea why. A business owner needs to figure out why the data needs to be kept, who will use the data, and how long it needs to be kept for business, legal or contractual reasons. Once defined, IT can implement proper controls to protect the data...
October 11, 2011 Added by:PCI Guru
If Visa were to work with the industry to produce a common API for EMV and contactless cards with PIN online, that would drive adoption of more secure cards in the US because there would be a business reason for adoption. Without such a driver, they are still a solution looking for a problem...
October 07, 2011 Added by:PCI Guru
Breaches occur because organizations get sloppy and, even with defense in depth in their security, there are too many controls where execution consistency has dropped leaving gaping holes in the various levels of security. However, once addressed, attackers will find other ways in...
October 05, 2011 Added by:Danny Lieberman
One of the crucial phases in estimating operational risk is data collection: understanding what threats, vulnerabilities you have and understanding not only what assets you have (digital, human, physical, reputational) but also how much they’re worth in dollars...
October 04, 2011 Added by:Andrew Weidenhamer
As a QSA it is very frustrating to walk in, ask the merchant for the PA-DSS Implementation Guide, and receive a glazed over eye look. It's even more frustrating when you then ask the Vendor/Reseller for the Implementation Guide and they look at you as if you have three heads....
October 01, 2011 Added by:PCI Guru
QSAs are questioning the relevance of this clarification in outsourced and environments totally operated through bank-owned terminals and networks. TPCI SSC is clarifying these requirements is to ensure that QSAs are confirming that outsourced environments truly are out of scope...
September 22, 2011 Added by:PCI Guru
The QA process: it all comes down to having used the correct language in responding to the ROC, rather than whether or not you actually assessed the right things. To add insult to injury, the PCI SSC advises QSACs to develop a template for the ROC with all the correct language written and proofed...
September 17, 2011 Added by:PCI Guru
there is no such thing as a perfect security framework because as I have said time and again – wait for it – security is not perfect. For those of you that are implicitly selling security to your management as perfect need to stop it. You are doing the security profession a disservice...
August 25, 2011 Added by:PCI Guru
EMV and contactless technologies do not entirely solve the fraud problem. While they minimize fraud in the case of card present transactions, they do not even address fraud in card not present transactions. And it is in card not present transactions where fraud is most prevalent...
Steps Toward Weaponizing the Android Platfor... Freid Jerome on 05-17-2013