Tags ArchivesRequirements Review

It’s time for the next of ten posts with a detailed analysis on a PCI Requirement! So far we’ve discussed PCI Requirement 4.1 and mobility, Sampling, and Patching & IPS. If you have a requirement you want reviewed, post it here! Today, it’s fun with a very specific interpretation, but I think we can cover this in a way that will be functional in most (if not all) modern setups. Now, on to our submitter: Requirement 3.6.6 – Specifically related to service accounts for applications where a human would have the service account password and the service account can then access the keys. There is are two security controls that we discuss in our critical control checklist that are missing ...

It’s time for the next of ten posts with a detailed analysis on a PCI Requirement! Last time we talked about PCI Requirement 4.1 and mobility. If you have a requirement you want reviewed, post it here! Today, it’s fun with interpretation around patch management and IPS. This isn’t a topic I’ve addressed before, but it is something I’ve debated with a customer. Now, on to our anonymous submitter: Some Host Based IPS vendors and QSAs are saying that if a host based IPS product can block any exploits related to a specific Microsoft patch (virtual patching), then the in-scope system does not have that specific patch applied within 30 days. Even if it SPT cc data! Hrm, interesting. A ...

It’s time for the next of ten posts with a detailed analysis on a PCI Requirement! Last time we talked about Sampling. If you have a requirement you want reviewed, post it here! Today, it’s all about requirement 4.1 and mobility. There are a couple of elements in play here. I’ve written about PCI DSS and mobility before and given tips on making a mobile application comply with PCI DSS, read this post. Now, on to the reader’s dilemma: Does mobile phone technology fall into [the classification] of public networks? I have ongoing arguments with an acquirer about whether a purpose-built mobile payment device, which they sold to us, can be assessed under SAQ B. The device uses cell phone ...

Hey look, it’s the first of ten posts with a detailed analysis on a PCI Requirement! While this one isn’t specifically a numbered requirement, I do find that sampling is troubling. I’ve written about it before, and we used to have all kinds of fun in the assessment process with sampling. From the reader: Sampling methodology. The QSA has to validate that the sampled infrastructure is compliant with the requirements. However, time cost the client money which they don’t want to pay. They always go with the lowest price / proposal. How can the QSA convince the client that the sampling methodology used is aligned with the RoC reporting instructions? How can one QSAC propose 30 days to complete a ...