What makes a user account “inactive”? I think most QSAs would say “any account not used with in 90 days”. I think these QSAs would also say that the PCI DSS (v3.2.1) actually defines an inactive account as one that has not been used within 90 days. But maybe this definition is from the Mandela…
ASV Program Guide v3.1 (July 2018) 5.5 ASV Scan Scope Definition For the purpose of ASV scanning, the PCI DSS requires quarterly vulnerability scanning of all externally accessible (Internet-facing) system components owned or utilized by the scan customer that are part of the cardholder data environment (CDE), as well as any externally facing system component…
Below is guidance from manufacturers and resellers on how to clean and sanitize your point of interaction (POI) devices. “Wet” covers that are more easily cleaned may seem like a great idea, but everyone else has the same idea and you will find the products backlogged at the moment. Poster for how to clean…
COVID-19 impact on your service provider listing at Visa Visa’s Global list of service providers (here) is a listing of PCI DSS Validated Service Providers and participants in Visa programs (such as Visa Third Party Agent (TPA) Program, etc) who are registered with Visa. The Registry is updated once a month. For service providers published…
Compliance assessment activities and regular compliance activities (i.e. penetration tests, employee training, etc) may be disrupted during COVID. Retail locations may be closed, staff may be unavailable. Obviously human safety trumps any PCI DSS compliance concerns. Merchants and QSAs do have questions about compliance in COVID times. We are still awaiting to hear from the acquirers…
If by WAF you mean “an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic”, then we are on the same page! Ryan Barnett wrote about it in 2008 in his Tactical Web Application Security blog . Didier Godart…
The Report on Compliance suggests that Cardholder data-flow diagrams may also be included as a supplement to the description of how cardholder data is transmitted and/or processed. Regardless they are great way to communicate and document the CDE and PCI DSS scope. FAQ Article Number 1178 from February 2011 … An important prerequisite to reduce…
Assessed entity question: Can switches get updates from the internet, and remain PCI compliant? QSA’s Sarcastic Question: Where else do patches come from? 🙂 I presume you mean the device actively getting updated from the internet. QSA’s Real Questions: What kind of switches do this? What is the exact mechanism? What is the direction of…
What are the risks of “public” WiFi? Its not a great question as we do not define what “public” means. Some better questions are: What are the risks of connecting to a WiFi network run by an attacker? What are the risks of connecting to the same WiFi shared with attackers? What are the risks…
What is the Critical Cybersecurity Hygiene project “Patching the Enterprise”? The objective of this project is to demonstrate a proposed approach for improving enterprise patching practices for general IT systems. Commercial and open source tools will be used to aid with the most challenging aspects of patching, including system characterization and prioritization, patch testing, and…