Blog Posts Tagged with "QSA"

Fc152e73692bc3c934d248f639d9e963

Requirements that Cannot be Marked ‘Not Applicable’

October 01, 2011 Added by:PCI Guru

QSAs are questioning the relevance of this clarification in outsourced and environments totally operated through bank-owned terminals and networks. TPCI SSC is clarifying these requirements is to ensure that QSAs are confirming that outsourced environments truly are out of scope...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

It is Time to Address PCI Compliance Reporting

September 22, 2011 Added by:PCI Guru

The QA process: it all comes down to having used the correct language in responding to the ROC, rather than whether or not you actually assessed the right things. To add insult to injury, the PCI SSC advises QSACs to develop a template for the ROC with all the correct language written and proofed...

Comments  (3)

Fc152e73692bc3c934d248f639d9e963

Compliance Is Not Security – Busted!

September 17, 2011 Added by:PCI Guru

there is no such thing as a perfect security framework because as I have said time and again – wait for it – security is not perfect. For those of you that are implicitly selling security to your management as perfect need to stop it. You are doing the security profession a disservice...

Comments  (4)

Fc152e73692bc3c934d248f639d9e963

Card Brand Merchant Level Tables

September 08, 2011 Added by:PCI Guru

Sometimes you can negotiate with your processor or acquiring bank to get your multiple legal entities treated as a single entity and do one compliance filing. The key is that you need to negotiate this change before you start your PCI compliance efforts, not after the fact...

Comments  (1)

Fc152e73692bc3c934d248f639d9e963

Kicked Out of the PCI DSS Club

August 31, 2011 Added by:PCI Guru

A Qualified Security Assessor Company (QSAC) has finally had their status revoked by the PCI SSC. Based on the FAQ, it seems that CSO was not able to provide documentation that supported their conclusions regarding assessment opinions in their ROC's and ROV's they had issued...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

End-to-End Encryption – The Rest Of The Story

August 10, 2011 Added by:PCI Guru

If you discuss E2EE with any merchant, most see it as this panacea, something that will get them out of the PCI compliance game altogether. However, nothing could be further from the truth. If anything, E2EE may make PCI compliance even more daunting than it is today...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

PCI Compliance Scam? You Tell Me...

July 25, 2011 Added by:PCI Guru

These sorts of actions by organizations just add fuel to the fire for critics to use as another argument as to why the PCI compliance programs are pointless and organizations should not bother with complying with any of the PCI standards...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Some Opinions On PCI Self-Assessment Questionnaires

July 12, 2011 Added by:PCI Guru

Since there are multiple ways to conduct a transaction, no single SAQ will cover all of these transaction methods. And since an organization is only supposed to fill out and submit one SAQ to their acquiring bank, the question becomes, which SAQ should the organization use?

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

PCI Self-Assessment Questionnaires

June 09, 2011 Added by:PCI Guru

Where most organizations go wrong with the original SAQ C is when they have an integrated POS that connects back to a corporate network. Remote management is allowed in this environment, but the entity that remotely connects must not have uncontrolled access to the POS environment...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Draft PCI DSS v2.0 “Scorecard” Released

May 18, 2011 Added by:PCI Guru

The biggest change I have found thus far is the removal of the requirement to observe network traffic as the Network Monitoring column is gone. Prior to this point, QSAs were required to obtain network traffic via WireShark or similar tool to prove that network traffic is encrypted...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

PCI QSA Re-Certification – 2011 Edition

May 10, 2011 Added by:PCI Guru

Regardless of whether or not software is PA-DSS certified, the bottom line is that a QSA is going to be required to assess the application for compliance with the PCI DSS and will have more work effort if the software is not PA-DSS certified...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

An Update On The MPLS Privacy Debate

April 25, 2011 Added by:PCI Guru

In the end, we will have to rely on the statements and representations of the carrier as to whether or not the network is private. Is this a good way to secure your organization? It is as long as your carrier never causes a problem...

Comments  (4)

Ebb72d4bfba370aecb29bc7519c9dac2

PCI Security Compliance: Q and A with Anton Chuvakin

April 22, 2011 Added by:Anton Chuvakin

PCI DSS and other PCI standards were intended as a baseline set of security practices, not as a comprehensive, upper limit on security. For various reasons, it is hard for many organizations to understand that. What results is a false sense of security and a mistaken sense of betrayal...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

PCI Compliance and Virtualization

March 24, 2011 Added by:PCI Guru

It still surprises me the number of IT professionals that seem to think that because they are implementing Windows or Linux as a virtual machine there is something different about security and you can skimp on hardening. Security hardening procedures need to be completely followed regardless...

Comments  (0)

98180f2c2934cab169b73cb01b6d7587

Payment Card Industry Data Security Standards Overview

March 17, 2011 Added by:Jon Stout

In a nutshell, the PCI DSS requires companies to build and maintain a secure network. The purpose of the PCI DSS is not only to reduce the amount of payment card fraud and identity theft, but also the costs of mitigating the institutional risks associated with those activities...

Comments  (2)

Ebb72d4bfba370aecb29bc7519c9dac2

Complete PCI DSS Log Review Procedures Part 17

March 11, 2011 Added by:Anton Chuvakin

Periodic Operational Task Summary: The following contains a summary of operational tasks related to logging and log review. Some of the tasks are described in detail in the document above; others are auxiliary tasks needed for successful implementation of PCI DSS log review program...

Comments  (0)

Page « < 1 - 2 - 3 > »