Sometimes your service providers are not up to speed on how to comply with PCI DSS. An example of that is a service provider completing an SAQ A-EP. This table can help you judge how PCI aware they are. The relative value of a service provider’s assessment verification method declines as you progress through the…
Hopefully your work is complete (or well underway!) to move from SSL/early TLS to a more secure encryption protocol June 30 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged). And while you are at it, double check to…
Have you ever heard of the supplementary validation for designated entities (a.k.a DESV)? If not, you should be happy. According to the Council’s FAQ for designated entities, “A Designated Entity is determined by an Acquirer or Payment Brand as an organization that requires additional validation to existing PCI DSS requirements. “ Organizations that view PCI…
The PCI Guru has an article about an issue with PCI DSS requirement 2.3.b https://pciguru.wordpress.com/2017/06/09/we-need-a-change-to-2-3-b/ Reminder of what 2.3.b is about: 2.3.b Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access. And the guidance for 2.3 is: If non-console (including remote) administration…
Do you just click on anything in your inbox? Tsk. If so, here is a clickable ad for you:
This is an article based on old (2011) data. I used to have a post about it, but I think I lost it during a hosting provider changeover so I am going to rewrite it here referencing the old data for now. In April 2011, Ponemon (and Imperva) published the results of a study…
Today’s press release from the council announced efforts towards easing the resource constraints felt by QSA Companies. The PCI SSC is developing the Associate QSA certification with the goal of attracting new cyber talent to the program and easing the resource constraints felt by QSA Companies. This project is a first step in a phased…
The countdown is on for IATA Accredited Agents to be Payment Card Industry (PCI) Data Security Standard (DSS) compliant by June 1, 2017 IATA has issued the deadline to reduce the risks associated with payment card transactions and potential data breaches and made PCI DSS compliance a mandatory condition to obtain and retain accreditation as an…
The Register has a story about a breach at cloudy service supplier Aptos. Aptos has several cloud services. POS in the cloud. Ecommerce in the cloud (didn’t see that one coming!). etc. The timeline of what happened is: Feb 2016 – There was a breach and malware installed in the cloud. Nov 2016 – Aptos…