Search Resultssampling

PCI Requirements Review: Sampling standard

...efore, and we used to have all kinds of fun in the assessment process with sampling. From the reader: Sampling methodology. The QSA has to validate that the sampled infrastructure is compliant with the requirements. However, time cost the client money which they don’t want to pay. They always go with the lowest price / proposal. How can the QSA convince the client that the sampling methodology used is aligned with the RoC reporting instructions? H...

Continue Reading

The Madness of Sampling standard

...best possible score during the Q/A review), assessors must describe their sampling methodology. Some assessors choose to use statistically valid samples, some choose to do selective sampling. Both are acceptable, it just needs to be documented. So what should YOU do? If you are facing a mid-year review of your PCI compliance and need to generate some samples, how should you go about doing this to get a realistic result? The answer to this depends...

Continue Reading

PCI DSS 2.0 Release and Review standard

...mpliance. Sampling continues to be an issue in PCI DSS 2.0. Representative sampling is required, but not statistically valid sampling, and no real consistent and repeatable instructions have been included here. Assessors must determine on their own (as they have had to do for nearly a decade now going back to CISP) if the systems sampled give them enough feel-goodery to call it representative, and then somehow explain how you came up with that sam...

Continue Reading

June-July 2012 Roundup standard

...etation, suggest it in the comments of that post! PCI Requirements Review: Sampling. Another often debated PCI topic is that of sampling. How do we do it? What methods are acceptable? What should we be doing? Read more here. PCI Requirements Review: Requirement 4.1+Mobility. How does mobility play into PCI Requirement 4.1? What constitutes a public network? This post has become a great place to understand the impact of PCI DSS on mobility. Thanks...

Continue Reading

PCI Europe Community Meeting, Q/A standard

...y, sound familiar from a remediation perspective?). Second question was on sampling… another issue that often comes up. The new version of the standard says to use a representative sample (they used to use the term selective sample), but since the samples are not statistically valid, it makes choosing a sample a bit of a gut feel. You will see variance between QSAs here as we all seem to have a different opinion on what constitutes a representativ...

Continue Reading

The Top 8 Requirements Your Assessor Misses standard

...date. Requirement 2.2.4 – “For a sample of components…”, often there is no sampling defined or components listed Requirement 3.2 – Few if any of the bulleted items in subrequirements of system components are addressed Requirement 4.1.a – The 4-7 bullets of evidence are often neglected Requirement 5.2 – Automatic updates and periodic scans of the anti-virus solutions are not addressed Requirement 6.3.6 – The requirement to demonstrate custom accoun...

Continue Reading

PCI DSS Feedback Period Begins TODAY standard

...ssues (which I am unsure if the Council is willing to solve) is around the sampling methodology and risk assessment thresholds that QSAs and ISAs must use when determining compliance. Access the feedback tool at https://programs.pcissc.org/. Feel free to submit feedback to me and I can compile relevant portions and ship over to the Council. And one final note, you only have three days left to vote on your favorite SIGs! Don’t get left out of the v...

Continue Reading

PCI Requirements Review: Requirement 4.1+Mobility standard

...s with a detailed analysis on a PCI Requirement! Last time we talked about Sampling. If you have a requirement you want reviewed, post it here! Today, it’s all about requirement 4.1 and mobility. There are a couple of elements in play here. I’ve written about PCI DSS and mobility before and given tips on making a mobile application comply with PCI DSS, read this post. Now, on to the reader’s dilemma: Does mobile phone technology fall into [the cla...

Continue Reading

PCI Requirements Review: Service Accounts and 3.6.6 standard

...PCI Requirement! So far we’ve discussed PCI Requirement 4.1 and mobility, Sampling, and Patching & IPS. If you have a requirement you want reviewed, post it here! Today, it’s fun with a very specific interpretation, but I think we can cover this in a way that will be functional in most (if not all) modern setups. Now, on to our submitter: Requirement 3.6.6 – Specifically related to service accounts for applications where a human would have the se...

Continue Reading

BUSTED! Why passing the blame for a PCI Breach will fail. standard

...ity can come into play. If a merchant hides things and get’s lucky because sampling did not find issues known by the merchant, the QSA may or may not have liability here. It depends on the circumstances, and more importantly, the lawyers. None of these clauses have been tested yet (to my knowledge) in a court, but that will change based on the events of 2008. Regardless, as a merchant, you should not want to ever GET there. Brand damage aside (whi...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!