Categories ArchivesPCI

While the official release does not happen until two weeks from today, many key stakeholders now have a copy of the pre-release version. What can you expect? You can expect THIS blogger to honor his NDA! Seriously though, are you ready? Version 1.1 has been around for over two years now (birthday was September 7, 2006), and by now you should have been able to validate as compliant to that version of the standard. If you are still struggling with 1.1, there is good news along with the bad. The bad news is that in some cases your remediation targets may have shifted slightly in one direction. This will apply to you if you have been doing the absolute bare ...

Is anyone else still just wondering what exactly this means for your business? The summary does definitely answer a few questions, but I am wondering if someone was pressuring the council to release something, ANYTHING, about the new revision. One thing that concerns me as a QSA is the amount of variance that will be introduced in the interpretation of some of the clarifications. For example, right off the bat we see the opportunity for interpretation in the clarification under Requirement 1: Added flexibility in the time frame for review of firewall rules, from quarterly to every 6 months, based on Participating Organization feedback. Now the control can be better customized to the organization’s risk management policies. On the surface, ...

First off, I want to apologize for the lack of posting. Travel across the date line is one of those things that looks like a productivity enhancer, at FIRST. Then the realization slowly sets in. One of the articles I wanted to post on was Bill Homa (Edit: Sorry, got the spelling wrong!), the former CIO of Hannaford, who is changing his tune a little bit. Apparently, the PCI Standard is not his problem, but now he blames Microsoft for the breach that occurred on his watch. I don’t know if you are like me, but I can’t wait for the lawsuits to start flying so that all of the speculation on this incident can end. Legal discovery can be ...

No, not my niece, but the great city in Australia! I’ve finally made it back state side. I’m a little tired, but more so when I start working through the email! Thanks to everyone who joined our event in Sydney! I hope to talk to you all in the coming months. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

We’ve been true road warriors this week, and so far have done briefings in Brisbane and Melbourne, Australia! We are heading back to Sydney tonight to do our last PCI briefing of the trip tomorrow. Thanks for the hospitality Brisbane & Melbourne! I look forward to seeing you again soon! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

I have to admit, I needed some coffee and cobweb remover to decode this message from the Council this morning. They posted their Lifecycle Statement on the standard yesterday. After reading it a few times (and having a cuppa), I believe what they are trying to say is that there will be a new version of the PCI-DSS every 24 months. If you see a major number incremented (say 2.0 from 1.X), it is considered a new version. If a minor number is incremented (say 1.1 to 1.2) it is a revision. Regardless, you still have to do it and you will have some amount of time to implement. The next revision is due out on October 1, 2008 and ...

Thanks to everyone at EUCI and their great hospitality in Vail. I’m looking forward to working with some of you soon! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

The PCI landscape is pretty scary out there. If you are a merchant or service provider that is looking for assistance, there is a long line of companies that are ready to help. What should you expect from your QSA? What should your assessment look like to get the best results? VeriSign reviewed our findings from our customers and wrote a white paper entitled, “Not All QSAs Are Created Equal: What You Should Know Before You Buy” that talk about what you should expect. This paper is a FREE download! Go check it out! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs ...

About a month ago an audio guy showed up to my house and pinned a tiny microphone to my shirt for a podcast on PCI. It is a joint podcast with John Pescatore of Gartner. The theme is on managing PCI Compliance. Go check it out! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

I was asked this question while sitting on a panel at RSA, and I think the answer depends on your perspective. I’ll answer this from a security industry perspective. If nothing else, you have to credit PCI with forcing the issue. Security among retail enterprises was generally limited to loss prevention and physical security until recently. Information security usually existed as a small and buried team within the Information Technology group, and did not have board level attention. If someone at the board was savvy enough to realize that security reporting to IT is an example of the fox guarding the hen house, then maybe they moved security into Internal Audit. Now we are seeing a massive amount of development ...