Categories ArchivesPCI

PCI Requirements Review: Sampling standard

Hey look, it’s the first of ten posts with a detailed analysis on a PCI Requirement! While this one isn’t specifically a numbered requirement, I do find that sampling is troubling. I’ve written about it before, and we used to have all kinds of fun in the assessment process with sampling. From the reader: Sampling methodology. The QSA has to validate that the sampled infrastructure is compliant with the requirements. However, time cost the client money which they don’t want to pay. They always go with the lowest price / proposal. How can the QSA convince the client that the sampling methodology used is aligned with the RoC reporting instructions? How can one QSAC propose 30 days to complete a ...

Continue Reading

Security and Compliance in a Virtualized World standard

Are security and compliance hindering your ability to comply with PCI DSS or any other number of compliance initiatives? Check out this BUZZ Talk from EMC World where Paul Divittorio and I talk about how EMC does it, and how you can too! Description of the talk: As you move to adopt virtual infrastructure solutions to reduce costs and improve IT operations, make sure you understand the security implications of virtualization. The good news is—virtual environments can be more secure than their physical counterparts. It’s time to separate fact from fiction. Let’s discuss your experiences and what we’ve learned from EMC IT’s own virtualization story. Watch the video here! Possibly Related Posts: Level Up Cybersecurity with Kasm Workspaces Let’s Encrypt ...

Continue Reading

Guest Post: Will the new QIR Program Move the Needle? standard

The following is a guest post by Steve Levinson, PCI Goon. You can contact him here. The PCI (Payment Card Industry) Council (PCICo) has pointed their elbow in the direction of those responsible for installing payment applications. PCICo issued a press release yesterday announcing the PCI Qualified Integrators and Resellers (QIR) program. The QIR program is designed to improve the quality of the integrator/reseller community often tasked with installing and maintaining payment systems. Is this the silver bullet we’ve been waiting for? According to the release, the PCI Council is in the process of rolling out this program to train and certify software resellers and system integrators. The Council will list those certified organizations and individual employees on their web ...

Continue Reading

Top 10 PCI Requirements for Interpretation standard

OK folks, here’s an opportunity for you all! In advance of the third edition of our book slated for a July release, PCI Compliance, I wanted to offer up a free service to those of you dealing with PCI DSS on a daily basis. I’m going to do a detailed analysis of ten requirements for you! Here’s the best part… You get to pick the ten I analyze! Which requirements give you the most trouble? Which ones do you think are getting a bad rap, or are being interpreted too harshly? Tell me! I’ll take the top 10 that people want interpreted and put a series together over the next few weeks with detailed analysis. Throw your suggestions down in ...

Continue Reading

Sir, Put Down the Loaded Weapon standard

Sensitive information is sometimes like a loaded weapon someone might randomly stumble upon in a park. For those that have some kind of training with weapons, you can probably think of a dozen things you would and wouldn’t do if you were in this situation. But what if you had never seen this kind of weapon before? Would it become a paperweight on your desk? Maybe a doorstop? Or in an extreme case, earrings? Maybe you see peers treating these weapons the same way and all the sudden it becomes acceptable. Until one goes off. Then everyone flips their lid and its utter chaos. Questions like, “How did this happen?” and “Why isn’t the government protecting us?” start to pop ...

Continue Reading

Top Five PCI DSS Mistakes that Lead to a Breach standard

RSA Conference is over, but that just means that all of those side conversations and meetings that we had will start to make themselves into blog posts! One that is a biggie for me is the top five mistakes that merchants make that lead to a compromise. I often get questions from small merchants asking for the top three to five things they should do to make sure they do not suffer a breach, specifically after they are overwhelmed by SAQ-D. While there is no substitution for complying fully with PCI DSS, there are a few common themes in breaches that businesses should address to avoid one. Keep in mind, while this applies to all setups, the ones getting hit ...

Continue Reading

Top 3-5 Things to Remove from PCI DSS standard

PCI DSS 2.0 has been out for over a year now, and the feedback period is almost closed (ends April 15). If you have not submitted feedback yet, do so! But here’s an interesting challenge I would suggest. If you could pick three to five requirements to REMOVE from PCI DSS, what would they be, and why? I’m looking for options to simplify the standard without compromising its goal as it stands today. I’m looking to make this a serious exercise in improvement that we can submit as part of the feedback period. Comments below are open! Debate below and I’ll forward this entire thread over to the Council for review. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK ...

Continue Reading

PCI Compliance for…. standard

We are almost done with the next edition of the book! Anton & I are cleaning up a few last edits in the first manuscript and it will be in the publisher’s hands. One topic that we kept coming back to when writing this edition was broadening our scope to go beyond big, Level 1 merchants and service providers. We even dedicated a chapter to small businesses in this edition, and give you tips for what to do when starting a business that needs to accept payment cards. But one thing that strikes me as I reflect upon writing that chapter is the overwhelming urge to make the chapter three words long. Those three words would be: Just. Outsource. It. ...

Continue Reading

Myth Busting with Ben Tomhave standard

I love our industry! There is no shortage of truly talented and smart folks, and one of the best parts of being in this industry is getting to have conversations with these folks often. Ben Tomhave (@falconsview), a noted security pro and blogger, kicked off a fury of tweets that really went into two directions. First was for a common myth about PCI DSS validation which I will address here (and ensure it is much clearer in the next edition of the book). “Can merchants (including Level 1) self assess?” lead us to a conversation about the functions of audit, the industry in general, and corporate responsibility. We’ll get into THAT discussion next week. The discussion on Twitter began with ...

Continue Reading

PCI DSS Feedback Period Begins TODAY standard

Remember all that stuff about a three-year life cycle? Well, it’s now officially phase 4, the beginning of the feedback period! What needs fixing in your opinion? What needs clarification? Theoretically, you should have had some time to investigate how the new version impacts your environment, and thought about implementation if not already validated against 2.0 this year. Unless your acquirer tells you otherwise, you will be validating against 2.0 next year. So far, the biggest complaints I have heard from stakeholders is the lack of cloud and mobility as well as confusion around scope. One of my issues (which I am unsure if the Council is willing to solve) is around the sampling methodology and risk assessment thresholds that ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!