Compliance assessment activities and regular compliance activities (i.e. penetration tests, employee training, etc) may be disrupted during COVID. Retail locations may be closed, staff may be unavailable. Obviously human safety trumps any PCI DSS compliance concerns. Merchants and QSAs do have questions about compliance in COVID times. We are still awaiting to hear from the acquirers…
If by WAF you mean “an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic”, then we are on the same page! Ryan Barnett wrote about it in 2008 in his Tactical Web Application Security blog . Didier Godart…
The Report on Compliance suggests that Cardholder data-flow diagrams may also be included as a supplement to the description of how cardholder data is transmitted and/or processed. Regardless they are great way to communicate and document the CDE and PCI DSS scope. FAQ Article Number 1178 from February 2011 … An important prerequisite to reduce…
Assessed entity question: Can switches get updates from the internet, and remain PCI compliant? QSA’s Sarcastic Question: Where else do patches come from? 🙂 I presume you mean the device actively getting updated from the internet. QSA’s Real Questions: What kind of switches do this? What is the exact mechanism? What is the direction of…
What are the risks of “public” WiFi? Its not a great question as we do not define what “public” means. Some better questions are: What are the risks of connecting to a WiFi network run by an attacker? What are the risks of connecting to the same WiFi shared with attackers? What are the risks…
What is the Critical Cybersecurity Hygiene project “Patching the Enterprise”? The objective of this project is to demonstrate a proposed approach for improving enterprise patching practices for general IT systems. Commercial and open source tools will be used to aid with the most challenging aspects of patching, including system characterization and prioritization, patch testing, and…
What are Assessor’s thoughts on requirement 6.4.5.3? 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system. 6.4.5.3.a For each sampled change, verify that functionality testing is performed to verify that the change does not adversely impact the security of the system. Thorough testing should be performed to…
Welcome to Vancouver, eh! We got away with some rain free days at the end of the conference. My favourite sessions were the PFI report AND the assessing web technologies for ecommerce session. I stole enough interesting content from those sessions to prepare a couple upcoming posts. Event #1 on the agenda is Tuesday at…
OCTOBER 29 2019: The V4 draft is out to QSACs, participating organizations and ASVs. “ This document constitutes “Confidential Information” of PCI Security Standards Council, LLC (PCI SSC) for purposes of the PCI SSC Group Participation Agreement between your organization and PCI SSC (the NDA). It is being provided in connection with the corresponding request…
If I take payments from customers only via an application on their mobile handheld device, is that ecommerce? (Should my assessor check e-commerce off in my ROC and AOC?) The application is one I distribute and not a browser. What is e-Commerce? The term ecommerce is not in the PCI SSC Glossary. There…