thePCI Portal

Author: Ed

Critical Cybersecurity Hygiene project “Patching the Enterprise”

What is the Critical Cybersecurity Hygiene project “Patching the Enterprise”? The objective of this project is to demonstrate a proposed approach for improving enterprise patching practices for general IT systems. Commercial and open source tools will be used to aid with the most challenging aspects of patching, including system characterization and prioritization, patch testing, and…

Functionality testing to verify that the change does not adversely impact the security of the system

What are Assessor’s thoughts on requirement 6.4.5.3? 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system. 6.4.5.3.a For each sampled change, verify that functionality testing is performed to verify that the change does not adversely impact the security of the system. Thorough testing should be performed to…

eye on PCI v4

full speed ahead on PCI v4

OCTOBER 29 2019:  The V4 draft is out to QSACs, participating organizations and ASVs.  “ This document constitutes “Confidential Information” of PCI Security Standards Council, LLC (PCI SSC) for purposes of the PCI SSC Group Participation Agreement between your organization and PCI SSC (the NDA). It is being provided in connection with the corresponding request…

What is e-Commerce?

If I take payments from customers only via an application on their mobile handheld device, is that ecommerce?     (Should my assessor check e-commerce off in my ROC and AOC?)  The application is one I distribute and not a browser. What is e-Commerce? The term ecommerce is not in the PCI SSC Glossary.  There…

Vulnerability scans are not for req 6.1

Requirement 6.1 is my favourite PCI DSS requirement!  No fancy tools required.  No specialized knowledge.  It can be largely executed by a person on the helpdesk.    And the impact to the overall security posture organization can be huge.  More than that expensive network appliance.  More than that fancy SIEM.  More than that overpriced vulnerability…

PCI compliance and big P Politics

What is behind MPI’s decision to stop the acceptance of preauthorized credit card payments? Politics? Lobbyists? Pressure from the broker association? Lucrative broker commission payments? Maybe according to the Winnipeg Free Press. Saving money?  Apparently, but the savings are coming from the reduced scope of PCI DSS compliance by eliminating cardholder data storage (according to CBC reporting). …