There are many folks in the PCI industry who will soon require a second security certification. For a lot of them, it will mean the pursuit of an auditor certification from this list: ISACA Certified Information Systems Auditor (CISA) GIAC Systems and Network Auditor (GSNA) Certified ISO 27001, Lead Auditor, Internal Auditor 1 IRCA ISMS…
Purchase electronics, technology or anything that uses electricity in person at random retail brick and mortar locations whenever possible to minimize adversary’s opportunity to mess with your stuff during delivery. Especially items like keyboards, laptops, personal assistants, cameras, etc. Use your neighbour’s address for deliveries and all your mail. The risk of being poisoned…
Remain calm. There is no PCI DSS v4.0 yet. But from the recent community meeting it looks like v4.0 will become “objective” based. The new Software Security Framework (aka the S3 Framework) will be the Council’s first take using an “objective” based approach. (The Software Security Framework will incorporate the Payment Application Data Security Standard…
Did you know that the Verizon 2018 Payment Security Report has a PCI DSS Compliance calendar that is a great start to (or supplement to) an organization’s internal compliance calendar? Its not a new feature of the annual report, but its nice to be reminded its there and it appears to be updated for version…
SAQ A for PCI DSS v3.2.1 includes requirement 6.2. So don’t forget that redirecting webserver! So, patch that webserver. How do you verify that patching is happening? Review policies and procedures. Examine system components. Compare list of security patches installed to recent vendor patch lists. Ad below this line:
Can’t make it to Vegas this week? (Sept 25-27 2018) I understand. Life! It does look like a ton of interesting content that we could use day to day! https://events.pcisecuritystandards.org/las-vegas-2018/agenda/ These are just some of the topics that might catch your interest! Chris Novak and Josh Costa will walk through some of the key findings…
According to the CBC Article, Toronto police are tightlipped about the details of the fraud that stolen wireless payment terminals are being used to commit. They are afraid to educate the public in case someone gets the idea to give it a try themselves. That’s all the public has been waiting for – a criminal…
Visa Canada’s document “The Future of Payment Security in Canada” published in October 2017 has a lot of interesting information. In addition to an overview of the fraud landscape in Canada it outlines the steps they are taking to reduce fraud. 1. Devalue Data 100% EMV Chip-Enabled Point-of-Sale (POS) Tokenization 2. Protect Sensitive Data Contactless…
May 2018 will welcome the arrival of a new version of the PCI DSS. The minor update will contain NO NEW REQUIREMENTS and will be given the version number 3.2.1. The requirements that came into effect in February 2018 will have the following text removed: Note: This requirement is a best practice until January 31,…
The case against certificates of compliance: They aren’t a real thing. The AOC (attestation of compliance) is a real thing. Please don’t ask your service providers for a certificate of compliance. You will make the PCI Guru angry. He correctly guides us to FAQ 1220 and thinks they aren’t worth the paper they are printed…