Compensating Control Refresher
From time to time, organizations find themselves in the predicament of not being able to meet a PCI DSS requirement due to business or technical constraints. To address that situation, the PCI SSC has...
View ArticleSSL Is Not Going To Go Quietly
A lot of organizations are finding out that just turning off SSL is just not an option. This is particularly true of merchants running eCommerce sites predominantly used by mobile customers or...
View ArticlePCI DSS v3.2 Draft Released
On Friday, April 15, 2016 while a lot of you were probably getting your US income taxes done, the PCI SSC decided to release the draft of v3.2 of the PCI DSS. I know the announcement message to me...
View ArticleMicrosoft Changes Their Patching Strategy
Back in May 2016, Microsoft issued a blog entry on TechNet giving the world insight into its new patching strategy. The concept of a monthly “rollup” patch or what a lot of people are calling a...
View ArticleWhy Voice Over IP Matters
“Voice over IP are the most insidious set of communication protocols ever invented by man.” – Jeff Hall I have been having some interesting conversations of late with prospects and clients regarding...
View ArticlePre-Authorization And Post-Authorization (Part 1)
Welcome to a new year. I have had a number of interactions with a variety of people over the previous year and it has become obvious that the concepts of pre-authorization and post-authorization data...
View ArticleCan I Use SSAE 18 SOC 2 Reports? Part 1
This is a common question that QSAs encounter from clients. The client has an SSAE 18 Controls at a Service Organization (SOC) report from one of their service providers and they want to know if they...
View ArticleOpen Source
One of the questions we received at the last PCI Dream Team session was: “What about open source for 6.5?” I am sure the person asking wanted to know whether open source payment solutions must comply...
View ArticleDevOps And PCI – Part 1
DevOps are all the rage in organizations that develop applications. The move to become “Agile” through the implementation of methodologies such as Scrum to replace the traditional waterfall SDLC is...
View ArticleDevOps And PCI – Part 2
In the first post on this topic we discussed the terminology of DevOps and how segregation of duties can get complicated with DevOps. In this post we will continue to investigate DevOps and discuss...
View Article