Where is Cloud in PCI DSS 2.0? standard

It doesn’t take a keen observer to notice that the term cloud doesn’t even exist in PCI DSS 2.0. In fact, the “Find” feature will do that for you. Sure, strides were made to include Virtualization into the fold (even in spite of many individuals arguing you don’t need to include it, just apply the standard to it), but that is only the first of many steps on the journey to the cloud. If you are on the very front edge of the cloud transformational wave, you may have had to discuss how you use cloud with your QSA. My bet? It was a painful discussion that left both parties leery of the other. My comments in this month’s Digital ...

Continue Reading

October 2010 Roundup standard

What was popular in October? We saw the PCI Security Standards Council release PCI 2.0, I became a shill for Chevrolet (ending Nov 8) and posted a link to my flying blog, I am cooking at #BSidesDFW, and I was on TV! Running around D/FW doing missions for Chevy in the Silverado was fun, but alas, I return the truck on Friday. Here are the five most popular posts from last month: PCI DSS 2.0 Release and Review. This one is two years in the making, and the next one won’t happen for three more years. I threw together a few notes along with links to the document. Full Review of the 2010 PCI Community Meeting. This one held the ...

Continue Reading

Scoping Fun with PCI DSS 2.0 standard

day 162 Karate Kick, by Hoggheff
OK, so as you can see from the comments, my post yesterday generated a bit of controversy. I must apologize for the 1.3.3 miss as I did my initial research after a long night of, um, networking at the PCI Community Meeting in Orlando. That post was put together with haste over the last three days, while trying to review and decipher some passionately scrawled chicken scratch. I went back and responded to the comments (no editing, it’s all there), and wanted to talk about another significant change I didn’t discuss yesterday. Page 10 of PCI DSS 2.0 adds quite a bit of text into the Scoping guidance that QSAs and assessees use to determine the correct scope for their ...

Continue Reading

PCI DSS 2.0 Release and Review standard

Yep, it’s out. Well, at the time I am writing this it is not out, but by the time you read this it will be! You can go download the standard and the summary of changes at the Council’s new site. I’m not going to go over EVERY change, but will highlight some of the more significant ones that will impact how companies approach PCI DSS. Here are some highlights that I think are interesting. Explanation of how and where PA-DSS applies is a key clarification that was well known in the industry but was not documented in the standard like this.  Very helpful. VIRTUALIZATION is FINALLY included throughout the standard. From page 10 in the scoping guidance through to ...

Continue Reading

American Express Updates Merchant Reporting Requirements standard

This week is a big one for those of us involved in PCI DSS, and all that implies. Check back on Thursday for a review of the changes in PCI DSS v2.0. I’ve completed an initial review using the embargoed version, but will double check my work based on what actually comes out on the 28th. In the meantime, American Express quietly pushed a new change to their Merchant Reporting requirements over the weekend. What was previously a requirement for the EU only is now a global requirement regardless of location. Level 2 American Express merchants (as defined by processing between 50,000 and 2.5 million transactions per year) must now submit an annual SAQ and quarterly network scans performed by ...

Continue Reading

RSA Europe Recap and the Spread of Regulatory Compliance standard

Why have I been radio silent this week? It’s certainly not because I have a lack of things to say. Even my own team mates are surprised when I tell the recent stories of being out talked. Couple of things are going on that you might be interested in. For one, I am doing a project for the next three weeks for the North Texas Chevy Dealers. In exchange for writing about and videoing my experiences, I have been given a 2011 Chevy Silverado Extended Cab, Texas Edition truck to drive. Follow my adventures over here to see me kick the tires! Outside of driving trucks and blogging about that, I spent the week in London for RSA Europe. The ...

Continue Reading

Is Tokenization Safe? standard

In our industry, topics turn hot and cold in record time.  The hot topic this week seems to focus on the safety of using Tokenization as a solution for reducing compliance and security requirements. I found this blog post on StoreFront BackTalk by Walt Conway that poses the question, “What happens to my data if my token vendor goes bankrupt?” Earlier in the week, as part of my ISSA Editorial Advisory Board duties, I reviewed an article that posed some of the very same questions. Outsourcing the handling of payment data is a critical decision for merchants to consider, and it should not be taken lightly. Just like any other major decision any company makes, merchants should perform a risk ...

Continue Reading

Herding Cats October, Seeing Through the Fog standard

Have you checked out ISSA Connect yet? The next issue is up there with my column, Seeing Through the Fog. Cloud Computing and associated utility computing topics make lawyers and insurance underwriters uneasy. Like for real. But it’s all about a little bit of education on the topic. If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today! Possibly Related Posts: Top Posts from 2015 October 2015 Roundup September 2015 Roundup August 2015 Roundup June-July 2015 Roundup

Continue Reading

Cloud Ain’t So Scary! standard

After the end of quarter madness calmed down on Friday afternoon, I had a few minutes to reflect on an interesting panel discussion I sat on (to which I was almost late). I was speaking with a group of underwriting and legal professionals about cloud computing and the security and compliance problems it presents. The fear in the room was nearly tangible. As with most issues relating to information security, it all comes back to the data. Cloud services are perfect for some applications, and downright frightening for others. It’s not to say that certain cloud types are inherently more insecure (although in some cases they are), but it’s more about the structure of the cloud services as it relates ...

Continue Reading

September 2010 Roundup standard

What was popular in September? We had the PCI 2010 Community Meeting in Orlando, embargoed documents from the Council, some posts that poked a little fun, and a cloudy experience with Desktop as a Service! On that last one, apologies for the incorrect link to the VMWare release. At least you guys know what I was wondering about when I worked on that edited post. Yes, I was concerned about that fungus.  It’s benign tho, so don’t worry. Here are the five most popular posts from last month: Review of the 2010 ____ ____ Meeting. Sometimes the most popular posts only have a few days to percolate.  That would be the case with my initial review of the PCI Community ...

Continue Reading