For me, 6.1 and its brethren 6.2. Knowing about vulnerabilities and doing something about them! As a QSA, I always knew of a big critical vulnerability in each platform I assessed. A biggie. The worse the better. I poured over samples seeking unpatched devices. Every demo session I would be jotting version numbers down continually…
Compliance assessment activities and regular compliance activities (i.e. penetration tests, employee training, etc) may be disrupted during COVID. Retail locations may be closed, staff may be unavailable. Obviously human safety trumps any PCI DSS compliance concerns. Merchants and QSAs do have questions about compliance in COVID times. We are still awaiting to hear from the acquirers…
Requirement 6.1 is my favourite PCI DSS requirement! No fancy tools required. No specialized knowledge. It can be largely executed by a person on the helpdesk. And the impact to the overall security posture organization can be huge. More than that expensive network appliance. More than that fancy SIEM. More than that overpriced vulnerability…
My experiences and observations around becoming an Internal Security Assessor. Hi, my name is Marlen, and I’ve been working with a QSA handling PCI Compliance on behalf of my employer, a level 2 merchant retailer of Wine, Beer, Spirits, and as of late, Cannabis (a legal product in our jurisdiction). We are now taking the…
Did you know that the Verizon 2018 Payment Security Report has a PCI DSS Compliance calendar that is a great start to (or supplement to) an organization’s internal compliance calendar? Its not a new feature of the annual report, but its nice to be reminded its there and it appears to be updated for version…
SAQ A for PCI DSS v3.2.1 includes requirement 6.2. So don’t forget that redirecting webserver! So, patch that webserver. How do you verify that patching is happening? Review policies and procedures. Examine system components. Compare list of security patches installed to recent vendor patch lists. Ad below this line:
The case against certificates of compliance: They aren’t a real thing. The AOC (attestation of compliance) is a real thing. Please don’t ask your service providers for a certificate of compliance. You will make the PCI Guru angry. He correctly guides us to FAQ 1220 and thinks they aren’t worth the paper they are printed…
I think that everyone would agree that the a service provider does not necessarily have to be independently “assessed” as PCI DSS compliant. They could also be assessed as part of the assessed entity’s assessment. But do they need to be “assessed” or “compliant” at all? I think its a risk based decision that depends on…
There are 4 generally accepted levels of PCI compliance assessment for a service provider, in ascending order of Service Provider effort: Compliance Assessment Method Completion and signing Info Annual Service Provider relative effort Annual QSA effort Service provider assessed as part of (each) client’s assessment None May require onsite visit. Hours/days Client’s QSA: Hours/days…
Sometimes your service providers are not up to speed on how to comply with PCI DSS. An example of that is a service provider completing an SAQ A-EP. This table can help you judge how PCI aware they are. The relative value of a service provider’s assessment verification method declines as you progress through the…
