Search Resultssampling

PCI Requirements Review: Sampling standard

Hey look, it’s the first of ten posts with a detailed analysis on a PCI Requirement! While this one isn’t specifically a numbered requirement, I do find that sampling is troubling. I’ve written about it before, and we used to have all kinds of fun in the assessment process with sampling. From the reader: Sampling methodology. The QSA has to validate that the sampled infrastructure is compliant with the requirements. However,...

Continue Reading

The Madness of Sampling standard

The PCI DSS instructs assessors to sample certain parts of the population when validating compliance. According to the PCI DSS, the sample “must be a representative selection of all of the types and locations of business facilities as well as types of system components, and must be sufficiently large to provide the assessor with assurance that controls are implemented as expected.” That often leads to the next two questions—the a...

Continue Reading

PCI DSS 2.0 Release and Review standard

Units of Measurement, by FeatheredTar Yep, it’s out. Well, at the time I am writing this it is not out, but by the time you read this it will be! You can go download the standard and the summary of changes at the Council’s new site. I’m not going to go over EVERY change, but will highlight some of the more significant ones that will impact how companies approach PCI DSS. Here are some highlights that I think are interesting....

Continue Reading

June-July 2012 Roundup standard

Stay Classy, San Diego! What was popular in June/July? First off, I was apparently too busy to put this together! I was lucky enough to get a vacation this year with the wife, and I sort of neglected this. No worries, we’ll make up for it! We had BlackHat/Defcon/BSidesLV, more suspected hacks (DropBox), and record heat across a large portion of the Midwest. As I’m writing this now, the thermometer is topping 110°F, but thankfully...

Continue Reading

PCI Europe Community Meeting, Q/A standard

I always enjoy the Q/A sessions that the Council has at these events. I don’t know how many sessions I will be able to blog about (we only want the interesting ones anyway), but here’s the first bunch of Q/A from this session! The first question was around segmentation and SANs. I’d never heard the question asked that way, but most SANs by nature are segmented from each other. The more interesting point here is what...

Continue Reading

The Top 8 Requirements Your Assessor Misses standard

Oops, by Victoria-Ann The QSA community at large received the May edition of the assessor update from the council on Friday. In it, Troy Leach is giving us hints on which requirements assessors are messing up the most. Keep in mind, he is speaking about this from the Quality Assurance process, and not from watching assessors conduct assessments. The reason I make this distinction is that your assessor COULD be evaluating the criteria mentioned...

Continue Reading

PCI DSS Feedback Period Begins TODAY standard

PCI DSS Lifecycle Remember all that stuff about a three-year life cycle? Well, it’s now officially phase 4, the beginning of the feedback period! What needs fixing in your opinion? What needs clarification? Theoretically, you should have had some time to investigate how the new version impacts your environment, and thought about implementation if not already validated against 2.0 this year. Unless your acquirer tells you otherwise, you...

Continue Reading

PCI Requirements Review: Requirement 4.1+Mobility standard

It’s time for the next of ten posts with a detailed analysis on a PCI Requirement! Last time we talked about Sampling. If you have a requirement you want reviewed, post it here! Today, it’s all about requirement 4.1 and mobility. There are a couple of elements in play here. I’ve written about PCI DSS and mobility before and given tips on making a mobile application comply with PCI DSS, read this post. Now, on to the...

Continue Reading

PCI Requirements Review: Service Accounts and 3.6.6 standard

It’s time for the next of ten posts with a detailed analysis on a PCI Requirement! So far we’ve discussed PCI Requirement 4.1 and mobility, Sampling, and Patching & IPS. If you have a requirement you want reviewed, post it here! Today, it’s fun with a very specific interpretation, but I think we can cover this in a way that will be functional in most (if not all) modern setups. Now, on to our submitter: Requirement 3.6.6 –...

Continue Reading

BUSTED! Why passing the blame for a PCI Breach will fail. standard

After the year we had in 2007 with PCI related breaches, who would have thought that 2008 would give us more? I mean, after last year, who would have thought that we would see another major breach given the “lessons” we learned? Um, I did. Fo-sho. Why? Because early in my career I learned that most executives don’t care about problems until they hit close to home. Like right under their nose. We’ve seen two instances...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!