Clik here to view.
Database 2012 Threats
I attended a Webinar recently put on by Application Security Inc. regarding the threats to databases for the coming year. If you did not attend it, you missed a good session. But the most disturbing...
View ArticleClik here to view.
Third Party Service Providers And PCI Compliance
There seems to be a lot of confusion regarding third parties that provide networking or hosting services and their obligations regarding PCI compliance. This confusion is not uncommon as merchants and...
View ArticleClik here to view.
2013 Threats To Databases
Akamai just released their third quarter 2012 Internet statistics and are pointing to China as the generator of at least a third of all attacks. Not only that, the Chinese attackers are going almost...
View ArticleClik here to view.
Why vSkimmer Should Not Matter
It was announced this week by McAfee that a new threat to merchants has been discovered called vSkimmer. This is a very insidious threat as most merchants will likely not know they have been infected...
View ArticleClik here to view.
Coming Attractions
On September 12, 2013 the PCI SSC released the drafts of version 3 of the PCI DSS and PA-DSS. In reviewing the PCI DSS, there are six new requirements that will be considered ‘best practices’ until...
View ArticleClik here to view.
Thoughts From The 2013 PCI Community Meeting
I got lucky that my new employer allowed me to go to this year’s PCI Community Meeting held in Las Vegas. It is always nice to hear things first hand versus getting the slide decks, asking questions...
View ArticleClik here to view.
Why SAQ A-EP Makes Sense
A colleague of mine attended the PCI SSC QSA Update session at the ETA convention a couple of weeks back. One of the big discussion items was how the Council is being pilloried over SAQ A-EP. This...
View ArticleClik here to view.
Lawyer Or Security Professional?
“It depends upon what the meaning of the word ‘is’ is. If ‘is’ means ‘is and never has been’ that’s one thing – if it means ‘there is none’, that was a completely true statement.” –President of The...
View ArticleClik here to view.
Compensating Control Refresher
From time to time, organizations find themselves in the predicament of not being able to meet a PCI DSS requirement due to business or technical constraints. To address that situation, the PCI SSC has...
View ArticleClik here to view.
SSL Is Not Going To Go Quietly
A lot of organizations are finding out that just turning off SSL is just not an option. This is particularly true of merchants running eCommerce sites predominantly used by mobile customers or...
View ArticleClik here to view.
PCI DSS v3.2 Draft Released
On Friday, April 15, 2016 while a lot of you were probably getting your US income taxes done, the PCI SSC decided to release the draft of v3.2 of the PCI DSS. I know the announcement message to me...
View ArticleClik here to view.
Microsoft Changes Their Patching Strategy
Back in May 2016, Microsoft issued a blog entry on TechNet giving the world insight into its new patching strategy. The concept of a monthly “rollup” patch or what a lot of people are calling a...
View ArticleClik here to view.
Why Voice Over IP Matters
“Voice over IP are the most insidious set of communication protocols ever invented by man.” – Jeff Hall I have been having some interesting conversations of late with prospects and clients regarding...
View ArticlePre-Authorization And Post-Authorization (Part 1)
Welcome to a new year. I have had a number of interactions with a variety of people over the previous year and it has become obvious that the concepts of pre-authorization and post-authorization data...
View ArticleCan I Use SSAE 18 SOC 2 Reports? Part 1
This is a common question that QSAs encounter from clients. The client has an SSAE 18 Controls at a Service Organization (SOC) report from one of their service providers and they want to know if they...
View ArticleOpen Source
One of the questions we received at the last PCI Dream Team session was: “What about open source for 6.5?” I am sure the person asking wanted to know whether open source payment solutions must comply...
View ArticleDevOps And PCI – Part 1
DevOps are all the rage in organizations that develop applications. The move to become “Agile” through the implementation of methodologies such as Scrum to replace the traditional waterfall SDLC is...
View ArticleDevOps And PCI – Part 2
In the first post on this topic we discussed the terminology of DevOps and how segregation of duties can get complicated with DevOps. In this post we will continue to investigate DevOps and discuss...
View Article