Clik here to view.
How About We Fix The Problem?
As I pointed out in my last post, EMV would have not stemmed the loss of data in the Target breach. All EMV would have done is restricted where the thieves could use the card data obtained. Even...
View ArticleClik here to view.
Pre-Authorization Data
After a number of interactions with a variety of people over the last few weeks, it has become obvious that the concept of pre-authorization data is not clear to a lot of people. And just because it...
View ArticleClik here to view.
Keeping It Simple – Part 2
In Part 1, the key to keeping things as simple as possible is to avoid any storage of cardholder data. Period. End of discussion. I also covered mobile payments because more and more small merchants...
View ArticleClik here to view.
End Of Life
This topic has started to come up again as we go through PA-DSS research on applications and find that the listings contain operating systems that are at or past end of life (EOL). The example below is...
View ArticleClik here to view.
SSL Is Officially Declared Dead
On January 30, 2015, QSAs received the latest edition of the Council’s Assessor Newsletter. Buried in that edition was the following statement. “Notice: PCI DSS and PA-DSS v3.1 Revisions Coming In...
View ArticleClik here to view.
Council Surveys QSAs On SSL
This message popped into my inbox late yesterday. The survey in question contains the following questions. All of my clients have gotten rid of SSL on their public facing Web sites. The dilemma we have...
View ArticleClik here to view.
Policies, Standards And Procedures
Nothing bothers me more than asking for an organization’s firewall policy (or any policy actually) and getting my own personal version of ‘War and Peace’. The document is a mix of policies, standards...
View ArticleClik here to view.
SSL Is Not Going To Go Quietly
A lot of organizations are finding out that just turning off SSL is just not an option. This is particularly true of merchants running eCommerce sites predominantly used by mobile customers or...
View ArticleClik here to view.
Crystal Ball Time
I was recently reminded that we are in year three of the current PCI DSS version. According to the PCI SSC’s standard lifecycle, that means the Council is starting to work on version 4 of the PCI DSS...
View ArticleClik here to view.
The Council Surprises
So I posted my thoughts on where I thought the PCI SSC was headed with v4 of the PCI DSS and today the Council announced there apparently will be no v4. Instead we will get v3.2 of the PCI DSS and...
View ArticleClik here to view.
Council Releases PCI v3.2 Dates
The dates given are not hard and fast such as Tuesday, April 26, more like general points in time such as “late April”. But at least they are providing a form of schedule for the release of the new...
View ArticleClik here to view.
The Council Speaks About v3.2
If you missed it, do not feel bad. I too had to be told by friends and colleagues that the PCI SSC was having a Webinar on Thursday, March 31, to discuss the upcoming changes to the PCI DSS and PA-DSS...
View ArticleClik here to view.
Living In PCI Denial
This was one of those weeks where you see something and all you can do is shake your head and wonder what some organizations think when it comes to PCI. What added insult to injury in this case was...
View ArticleClik here to view.
Hold Your Horses
UPDATE: The ROC Reporting Template is available as a PDF on the Document Library page after the Reporting Template and Forms banner almost all the way down the page. The Word version of the ROC...
View ArticleClik here to view.
Is The PCI DSS Even Relevant Any More?
First the National Retail Federation (NRF), then bloggers. Organizations and people are piling on the PCI SSC and standards all because of the United States Federal Trade Commission’s (FTC) fact...
View ArticleClik here to view.
Microsoft Changes Their Patching Strategy
Back in May 2016, Microsoft issued a blog entry on TechNet giving the world insight into its new patching strategy. The concept of a monthly “rollup” patch or what a lot of people are calling a...
View ArticleClik here to view.
2016 North American PCI Community Meeting
It was a hectic week out in Las Vegas at the Community Meeting this year. I wish I had more time this year to just hang out with everyone, but I was in the middle of a number of assessments that...
View ArticleNESA – Guidance In Search Of A Problem
On Thursday, June 29, the PCI SSC held their quarterly Assessor update webinar. One of the more interesting discussions was on the topic of the non-listed encryption solution assessment or NESA. For...
View ArticleWhat Are You Really Interested In?
As a QSA, we hear this comment all of the time. “PCI is all about compliance, not security.” The implication being that the person talking is interested in actually securing their environment not just...
View ArticlePre-Authorization And Post-Authorization (Part 1)
Welcome to a new year. I have had a number of interactions with a variety of people over the previous year and it has become obvious that the concepts of pre-authorization and post-authorization data...
View Article