Blog Posts Tagged with "PCI SSC"
Why Visa Is Upset
September 13, 2011 Added by:PCI Guru
Visa’s beef with my post is the implied connotation by using the term ‘Chip and PIN’ that a PIN would be required. All I was trying to do was to provide an easily Google-able term for people interested in EMV. Such a complaint from Visa is laughable if it were not so sad...
Comments (2)
Kicked Out of the PCI DSS Club
August 31, 2011 Added by:PCI Guru
A Qualified Security Assessor Company (QSAC) has finally had their status revoked by the PCI SSC. Based on the FAQ, it seems that CSO was not able to provide documentation that supported their conclusions regarding assessment opinions in their ROC's and ROV's they had issued...
Comments (0)
Mobile Payment Application PA-DSS Cert Clarification
August 02, 2011 Added by:PCI Guru
The PCI SSC has stated in this latest clarification that Category 1 and 2 applications and devices can continue through the certification process. These mobile applications have been explicitly called out even though they have been part of the certification process in the past...
Comments (0)
PCI SSC Nixes Certification for Mobile Payments Apps
June 30, 2011 Added by:PCI Guru
"Until such time that it has completed a comprehensive examination of the mobile communications device and payment application landscape, the Council will not approve mobile payment applications used by merchants to accept and process payment as validated PA-DSS applications..."
Comments (0)
PCI SSC Releases Virtualization Guidelines
June 25, 2011 Added by:PCI Guru
If I had to take the PCI SSC to task, I would argue that cloud computing does not have anything to do with virtualization. Yes, a lot of cloud computing solution providers are using virtualized systems to provide their services, but not every cloud provider uses virtualization...
Comments (0)
PCI DSS in the Cloud... From the PCI Council
June 23, 2011 Added by:Anton Chuvakin
The long-awaited PCI Council guidance on virtualization has been released. This guidance does not focus on cloud computing, but contains more than a few mentions, all of them pretty generic. Here are some of the highlights and my thoughts on them...
Comments (1)
Mobile Payments Set to Dramatically Increase
May 26, 2011 Added by:Robert Siciliano
The Payment Card Industry Standards Council is not yet granting approval to any mobile payment applications. With the explosive growth of the mobile payment industry, they are holding off and waiting to see which technologies rise to the top...
Comments (0)
E2E Encryption and Doctored Credit Card Terminals
May 26, 2011 Added by:PCI Guru
End-to-end encryption just moves the attack points, in this case out to the terminal at the merchant’s location. Worse yet, it also makes security of the merchant’s endpoint even more difficult than it already is because the techniques used in doctoring terminals can easily go unnoticed...
Comments (0)
Draft PCI DSS v2.0 “Scorecard” Released
May 18, 2011 Added by:PCI Guru
The biggest change I have found thus far is the removal of the requirement to observe network traffic as the Network Monitoring column is gone. Prior to this point, QSAs were required to obtain network traffic via WireShark or similar tool to prove that network traffic is encrypted...
Comments (0)
Proposal for an All-or-Nothing Secure Software Standard
May 10, 2011 Added by:Keith Mendoza
Secure software standards should be all-or-nothing. Either the software--and all of its dependencies--are compliant, or the software is not compliant. Not owning the library, or database, will not be an excuse to not meeting the standards...
Comments (4)
PCI QSA Re-Certification – 2011 Edition
May 10, 2011 Added by:PCI Guru
Regardless of whether or not software is PA-DSS certified, the bottom line is that a QSA is going to be required to assess the application for compliance with the PCI DSS and will have more work effort if the software is not PA-DSS certified...
Comments (0)
An Update On The MPLS Privacy Debate
April 25, 2011 Added by:PCI Guru
In the end, we will have to rely on the statements and representations of the carrier as to whether or not the network is private. Is this a good way to secure your organization? It is as long as your carrier never causes a problem...
Comments (4)
PCI SSC Updates the ASV Training Program
April 05, 2011 Added by:PCI Guru
The ASV training program has blindsided the ASV community as it was a total surprise. Yes, there has been talk over the years at the Community Meetings and in other venues regarding ASV qualifications and training, but nothing ever seemed to come from those discussions...
Comments (0)
Payment Card Industry Data Security Standards Overview
March 17, 2011 Added by:Jon Stout
In a nutshell, the PCI DSS requires companies to build and maintain a secure network. The purpose of the PCI DSS is not only to reduce the amount of payment card fraud and identity theft, but also the costs of mitigating the institutional risks associated with those activities...
Comments (2)
RSA 2011 PCI Council Interview with Bob Russo
March 09, 2011 Added by:Anton Chuvakin
Accidental exposure of cardholder data is a known risk. By identifying where the data truly resides first, through a tool or a methodology, should aid organizations in their assessment efforts and ongoing security...
Comments (0)
The “Magic” Vulnerability – Revised
February 16, 2011 Added by:PCI Guru
You have options to avoid a failing vulnerability scan because of an unsupported OS. The best method, and the one I most recommend, is do not use unsupported operating systems in the first place. However, as a former CIO, I do understand the real world and the issues IT departments face...
Comments (2)
- SecurityWeek Names Ryan Naraine as Editor-at-Large
- Why Cyber Security Should Be at the Top of Your Christmas List
- United States Federal Government’s Shift to Identity-Centric Security
- How Extreme Weather Will Create Chaos on Infrastructure
- BSIMM11 Observes the Cutting Edge of Software Security Initiatives
- Sustaining Video Collaboration Through End-to-End Encryption
- Will Robo-Helpers Help Themselves to Your Data?
- Securing the Hybrid Workforce Begins with Three Crucial Steps
- A New Strategy for DDoS Protection: Log Analysis on Steroids
- COVID-19 Aside, Data Protection Regulations March Ahead: What To Consider