Blog Posts Tagged with "PCI DSS"
Complete PCI DSS Log Review Procedures Part 12
January 28, 2011 Added by:Anton Chuvakin
We have several major pieces that we need to prove for PCI DSS compliance validation. Here is the master-list of all compliance proof we will assemble. Unlike other sections, here we will cover proof of logging and not just proof of log review since the latter is so dependent on the former...
Comments (0)
More On The Cloud And PCI Compliance
January 28, 2011 Added by:PCI Guru
PCI DSS can be applied to “the cloud” in its existing form. Then where is the problem? The first problem with “the cloud” is in defining “the cloud.” If you were to ask every vendor of cloud computing to define “the cloud,” I will guarantee you will get a unique answer from each vendor asked...
Comments (1)
Complete PCI DSS Log Review Procedures Part 11
January 23, 2011 Added by:Anton Chuvakin
The main idea of this procedure it to identify and then interview the correct people who might have knowledge about the events taking place on the application then to identify its impact and the required actions, if any...
Comments (0)
Credit Card Security in the Cloud
January 21, 2011 Added by:Danny Lieberman
Obviously, the standard was written by system administrators and not programmers because the notion of inter-process communications is ignored. Once we are running online transaction applications in the cloud, the notion of public networks becomes an antiquated given...
Comments (1)
Network Segmentation – One Last Discussion
January 21, 2011 Added by:PCI Guru
Just because you implement all of these recommendations does not make you invincible. All these recommendations do is just make the likelihood of an incident and the potential damage resulting from an incident lower than if you had little or no controls in place...
Comments (0)
RTFM: Take the Time to Read the Documentation
January 18, 2011 Added by:PCI Guru
The PCI SSC’s Web site contains all of the documentation you need to interpret the PCI standards, yet it seems the only document that people download and read is the PCI DSS. If people would just read the rest of the documentation that is available, we would all be better off...
Comments (0)
Complete PCI DSS Log Review Procedures Part 10
January 17, 2011 Added by:Anton Chuvakin
A message not fitting the profile is flagged “an exception.” It is important to note that an exception is not the same as a security incident, but it might be an early indication that one is taking place. At this stage we have a log message that is outside of routine/normal operation...
Comments (0)
Complete PCI DSS Log Review Procedures Part 9
January 14, 2011 Added by:Anton Chuvakin
The first method considers log types not observed before and can be done manually as well as with tools. Despite its simplicity, it is extremely effective with many types of logs: simply noticing that a new log message type is produced is typically very insightful for security, compliance and operations...
Comments (0)
The Harsh Reality Of Security
January 09, 2011 Added by:PCI Guru
Chris Skinner asks the question, “Why does the card securities council not care about card security?” What concerns me is the title of the article as it again implies that the PCI standards do nothing to secure cardholder data. I thought I would take a shot at answering this question...
Comments (0)
Complete PCI DSS Log Review Procedures Part 8
January 09, 2011 Added by:Anton Chuvakin
To build a baseline without using a log management tool has to be done when logs are not compatible with an available tool or the available tool has poor understanding of log data (text indexing tool). To do it, perform the following...
Comments (0)
PCI SSC Backs Off Certifying Mobile Payment Apps
January 05, 2011 Added by:PCI Guru
A mobile payment refers to the use of a wireless device as a cash register. This is one of the reasons why the PCI SSC has pulled back on certifying mobile payment applications. The definition is becoming too broad and confusing thus creating too many issues to cover in a quick time...
Comments (0)
Complete PCI DSS Log Review Procedures Part 7
January 04, 2011 Added by:Anton Chuvakin
An additional step should be performed while creating a baseline: even though we assume that no compromise of card data has taken place, there is a chance that some of the log messages recorded over the 90 day period triggered some kind of action or remediation...
Comments (0)
Complete PCI DSS Log Review Procedures Part 6
January 02, 2011 Added by:Anton Chuvakin
In addition to this “event type”, it makes sense to perform a quick assessment of the overlap log entry volume for the past day (past 24 hr period). Significant differences in log volume should also be investigated using the procedures define below...
Comments (0)
MasterCard SDP Revisited For Level 2 Merchants
December 28, 2010 Added by:PCI Guru
All of these merchants intend to conduct their own SAQ but wanted to make sure that was still acceptable under the MasterCard SDP rules. Last year there was a lot of confusion since MasterCard pulled back on their decision to require Level 2 merchants to have a QSA conduct an on-site PCI assessment...
Comments (1)
Complete PCI DSS Log Review Procedures Part 5
December 26, 2010 Added by:Anton Chuvakin
This section covers periodic log review procedures for applications in scope for this project. Such review is performed by either application administrator or security administrator. The basic principle of PCI DSS periodic log review is to accomplish the following...
Comments (0)
Complete PCI DSS Log Review Procedures Part 4
December 16, 2010 Added by:Anton Chuvakin
Event logging and security monitoring in PCI DSS program go much beyond Requirement 10. Only through careful data collection and analysis can companies meet broad requirements of PCI DSS...
Comments (0)
- Managing My Company’s Security is a Nightmare
- Bridging the Cybersecurity Divide, Why Security Innovation Must Lead the Way
- The Evolution of Industrial Control System Information Sharing
- ATM Security (And Really Learning from the Past)
- Complimentary IT Security Resources [May 13, 2013]
- Steps Toward Weaponizing the Android Platform
- Mobile Security Processes Could Be Applied to Medical Devices: Bluebox
- The Emperor Is Naked!
- Infographic: Keeping Web Applications Safe
- Do You Have a Vendor Security Check List? You Should!