May 2018 will welcome the arrival of a new version of the PCI DSS. The minor update will contain NO NEW REQUIREMENTS and will be given the version number 3.2.1. The requirements that came into effect in February 2018 will have the following text removed: Note: This requirement is a best practice until January 31,…
The case against certificates of compliance: They aren’t a real thing. The AOC (attestation of compliance) is a real thing. Please don’t ask your service providers for a certificate of compliance. You will make the PCI Guru angry. He correctly guides us to FAQ 1220 and thinks they aren’t worth the paper they are printed…
PCI DSS V3.2 Requirement 8.2.3 requires 7 character long passwords 8.2.3 Passwords/passphrases must meet the following: Require a minimum length of at least seven characters. Contain both numeric and alphabetic characters. Alternatively, the passwords/ passphrases must have complexity and strength at least equivalent to the parameters specified above. I think its reasonable that…
I think that everyone would agree that the a service provider does not necessarily have to be independently “assessed” as PCI DSS compliant. They could also be assessed as part of the assessed entity’s assessment. But do they need to be “assessed” or “compliant” at all? I think its a risk based decision that depends on…
Just a random question from /r/pcicompliance. PCI Compliance – help with anti-virus, Firewall and Audit Logs Curious if anyone has affordable solutions for anti-virus software, firewall and audit logs. Trying to help two retail stores become compliant. They use a POS software (that is itself PCI Compliance). They have macbooks at each location to swipe…
Some of the simple common questions regarding what is allowed for multifactor authentication are answered in FAQs from the Council. Some of the more complex ones aren’t and need technical expertise to answer, sorry. FAQ 1425: Is “two-step” authentication the same as “two-factor” or “multi-factor” authentication? Answer summary: NO FAQ 1449: Is two-step authentication acceptable…
Technical solutions exist to automate the process of detecting unauthorized wireless access points on a network. These solutions generally work by monitoring radio frequencies to detect new wireless networks and/or monitoring the wired network for wireless access points. Sometimes these features are built into the same equipment that provides the authorized wireless networks. A manual…
Whether you outsource or perform your own penetration tests, you should have a documented penetration testing methodology. This methodology should: Specify a retention period penetration testing results and remediation activities results. Specify coverage for the entire CDE perimeter and critical systems. (referencing your PCI inscope asset list/inventory is probably a good idea.) Specify the frequency…
There are 4 generally accepted levels of PCI compliance assessment for a service provider, in ascending order of Service Provider effort: Compliance Assessment Method Completion and signing Info Annual Service Provider relative effort Annual QSA effort Service provider assessed as part of (each) client’s assessment None May require onsite visit. Hours/days Client’s QSA: Hours/days…
Sometimes your service providers are not up to speed on how to comply with PCI DSS. An example of that is a service provider completing an SAQ A-EP. This table can help you judge how PCI aware they are. The relative value of a service provider’s assessment verification method declines as you progress through the…