What is the Critical Cybersecurity Hygiene project “Patching the Enterprise”? The objective of this project is to demonstrate a proposed approach for improving enterprise patching practices for general IT systems. Commercial and open source tools will be used to aid with the most challenging aspects of patching, including system characterization and prioritization, patch testing, and…
What are Assessor’s thoughts on requirement 6.4.5.3? 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system. 6.4.5.3.a For each sampled change, verify that functionality testing is performed to verify that the change does not adversely impact the security of the system. Thorough testing should be performed to…
Welcome to Vancouver, eh! We got away with some rain free days at the end of the conference. My favourite sessions were the PFI report AND the assessing web technologies for ecommerce session. I stole enough interesting content from those sessions to prepare a couple upcoming posts. Event #1 on the agenda is Tuesday at…
In October 2019, actual drafts of PCI DSS v4.0 will be distributed to stakeholders to review. All Participating Organizations, Qualified Security Assessors (QSAs), and Approved Scanning Vendors (ASVs) will be invited to participate. Another round of feedback will occur in mid-2020. The request for comment (RFC) process will also be a key discussion topic at…
If I take payments from customers only via an application on their mobile handheld device, is that ecommerce? (Should my assessor check e-commerce off in my ROC and AOC?) The application is one I distribute and not a browser. What is e-Commerce? The term ecommerce is not in the PCI SSC Glossary. There…
But someone told me that mobile apps on consumer devices are out of scope….. FAQ 1283 from June 2014 If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for…
Requirement 6.1 is my favourite PCI DSS requirement! No fancy tools required. No specialized knowledge. It can be largely executed by a person on the helpdesk. And the impact to the overall security posture organization can be huge. More than that expensive network appliance. More than that fancy SIEM. More than that overpriced vulnerability…
What is behind MPI’s decision to stop the acceptance of preauthorized credit card payments? Politics? Lobbyists? Pressure from the broker association? Lucrative broker commission payments? Maybe according to the Winnipeg Free Press. Saving money? Apparently, but the savings are coming from the reduced scope of PCI DSS compliance by eliminating cardholder data storage (according to CBC reporting). …
thanks to Dave Manouchehri for letting us know about the free parking at TD Place Stadium in Ottawa earlier this week! I wonder if credit card data was at risk? 🙂 Parking is hard. Ad below this line:
My experiences and observations around becoming an Internal Security Assessor. Hi, my name is Marlen, and I’ve been working with a QSA handling PCI Compliance on behalf of my employer, a level 2 merchant retailer of Wine, Beer, Spirits, and as of late, Cannabis (a legal product in our jurisdiction). We are now taking the…