Categories ArchivesPCI

VLANs and Segmentation standard

I was following an email trail from a few colleagues and it dawned on me that I had not written about the use of VLANs with respect to PCI in this blog.  If you purchased Anton & my book, you can get a great, real-life example of VLANs in the second case study in Chapter 4, Building and Maintaining a Secure Network entitled, “The Case of the Large, Flat Corporate Network.” The question that was asked is, “Can a VLAN be used as a way to segment a network?” Of course, the answer (as always) is “It depends on how you are using it.”  If you are using simple 802.1q tagging with no other controls, that is not considered good ...

Continue Reading

RSA Security Brief, Secure Payment Services: Card Data Security Transformed standard

RSA, the security division of EMC, recently released a new security brief entitled, “Secure Payment Services: Card Data Security Transformed,” that outlines the security implications and benefits of the emerging category of outsourced secure payment services. In fact, many of the challenges we’ve discussed over the years in this blog can be solved by accomplishing significant scope reduction—the surest way to reduce the impact of PCI DSS on an environment. The authors of the brief include Dr. Anton Chuvakin (Security Warrior Consulting), Sam Curry (RSA), Robert Griffin (RSA), Craig Tieken (First Data), Steven Wilson (Visa EU), and me. The brief offers practical guidance on how retailers, merchants, and other organizations handling card data can improve payment card security and reduce ...

Continue Reading

Trust but Verify: Words to live by! standard

QSAs have to walk a very fine line with customers.  Especially those that are coming back for years two and three on a multi-year contract. I’ve seen it happen to other companies, and it’s happened to me.  The conversation goes something like this: Me: OK, now that we are on logging, please provide me with the logs you pulled from X server in Y environment. Them: Here you go. Me: This is exactly what we need, but I need a set pulled from recent data, not the ones we looked at last year. Them: But you looked at it last year! I’ll give you access to our change control system and you can see nothing changed on that box. Me: ...

Continue Reading

How Much Backup Media do You Have? standard

Disk space is cheap.  Cheaper than it ever has been.  In fact, if you try to purchase small disks for legacy applications, you might be in for an exhaustive or expensive search. For example, I was looking to replace a 20 Gig 2.5″ PATA drive with a 40 Gig one.  Good luck!  Not only did I not find ANY PATA drives at some local big box retailers, but going to Fry’s yielded me two choices: 160 Gig or 250 Gig.  The price of both of those was cheaper than what I could find online in the 40 Gig range. With disk space being so cheap (sub $100 per terabyte) and data storage growing at insane rates, is it easier to ...

Continue Reading

Why ISAs are Good for QSAs standard

The PCI Security Standards Council recently announced their Internal Security Assessor program (ISA) ((Side note… everyone seems to dog pile on the Standard when people reference it as a SECURITY standard, but nobody dog piles on the Council for using security in the assessor acronyms?)) and it seems like the response is overall positive.  I have spoken to a few QSAs that are afraid this may contribute to a decline in the business as there is dissension in the ranks of those being assessed ((Quality in QSAs is a current problem being addressed by the Q/A program.)). ISAs are GOOD for QSAs, and as a QSA you should prefer to assess companies that have installed them in their teams. I ...

Continue Reading

PCI Council Releases New PTS Standard standard

The PCI Security Standards Council released a unified PIN Transaction Security (PTS) standard yesterday under the title Point Of Interaction (POI) Modular Security Requirements.  The new PTS POI unified what was previously three separate standards: the Unattended Payment Terminal (UPT) Security Requirements, POS PIN Entry Device Security Requirements, and the Encrypting PIN Pad (EPP) Security Requirements which now sunset on May 12, 2011. According to the release: The standard introduces a new modular approach for testing all PTS points of interaction, which includes two new optional modules in addition to minor updates to the existing requirements. The Open Protocols module addresses the security of PIN Entry POI devices that utilize external connectivity, and the Secure Reading and Exchange of Data (SRED) module is designed for ...

Continue Reading

On Scope Shrinkage in PCI DSS standard

This is a guest post by Anton Chuvakin (RSS), co author on our PCI Compliance book.  Follow him on Twitter at @Anton_Chuvakin. People who came to PCI DSS assessments and related services (such as compliance gap analysis and even implementation of PCI controls) from doing pure information security often view scope reduction as “a cheap trick” aimed at making PCI compliance undeservedly easier. They only think of scope reduction as of limiting the area where PCI DSS security controls apply—with negligence, supposedly, reigning supreme outside of that sacred area. However, PCI DSS scope shrink is not just a cop out aimed at not protecting data. It is not just a “PCI project cost reduction” measure. Some half-witted analysts propagate this ...

Continue Reading

What Egress Filters Should I Use? standard

Another reader comes to the rescue!  This reader asks: Like everyone else, I have been so involved doing ingress filtering, that I have neglected egress filtering. To me, ingress filtering is easy: Block everything except what is absolutely necessary. Egress filtering is another animal. Everyone tells me I should do it, but no one tells me what I should be filtering for. Can you suggest a basic scheme for a small to medium business (SMB) to follow? Great question!  And you are most definitely correct in that the majority of guidance on firewalls focuses on how to limit traffic from un-trusted networks into trusted networks.  Outbound traffic tends to be much trickier for several reasons like: You have to do ...

Continue Reading

PCI SSC Launches Internal Security Assessor Program standard

The PCI Security Standards Council announced on Friday the creation of the Internal Security Assessor (ISA) program.  If you recall, we had some fun with MasterCard last year when they floated and then retracted some changes in their SDP program.  The one change that stuck will be causing a small subset of Level 1 merchants pain—the inability to self-assess. If you recall, Level 1 merchants have always been able to self assess IF they have a C-Level executive sign off on it. Self-assessing sounds attractive until that last part.  While the vast majority of Level 1 merchants choose to use a QSA, there are a few that have been self assessing for years.  In fact, one colleague in particular discussed ...

Continue Reading

To Europe: Have You Found Your QSA? standard

I’m writing this from the lovely (and quite steamy today) Terminal 3 of London’s Heathrow Airport after spending a week talking to clients, partners, and industry professionals about information security issues in Europe.  It’s clear that PCI DSS is one of the biggest issues facing security professionals in Europe, and will likely dominate many of their lives for the next 12-24 months ((Another bonus, our book sold out at Infosec Europe, and has apparently been a very big deal in the EU.  Someone even told me they bought it IN A BOOKSTORE!  Never seen it in a bookstore in the US.)). My question to you is, “Have you found YOUR QSA?” PCI DSS is something we’ve lived with for many ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!