thePCI Portal

Category: PCI DSS

PCI DSS compliance for Service Providers

There are 4 generally accepted levels of PCI compliance assessment for a service provider, in ascending order of Service Provider effort:   Compliance Assessment Method Completion and signing Info Annual Service Provider relative effort Annual QSA effort Service provider assessed as part of (each) client’s assessment None May require onsite visit. Hours/days Client’s QSA:  Hours/days…

Does using telnet for admin always require at least a compensating control?

The PCI Guru has an article about an issue with PCI DSS requirement 2.3.b https://pciguru.wordpress.com/2017/06/09/we-need-a-change-to-2-3-b/ Reminder of what 2.3.b is about: 2.3.b Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access. And the guidance for 2.3 is: If non-console (including remote) administration…

Best Practices for Securing eCommerce Information Supplement

Best Practices for Securing eCommerce Information Supplement is a great doc full of comprehensive info! The objective of this information supplement is to update and replace the PCI DSS E-commerce Guidelines published in 2013. Its a comprehensive 64 page document.  Useful info for anyone who does or is considering e-commerce.  A couple of the tidbits…

The significance of change

  A significant change triggers several required action for PCI DSS compliance. PCI DSS Requirement Annual Significant Change 6.6 •          Web application vulnerability security assessments, AND/OR •          Automated technical solution that detects and prevents web-based attacks, such as web application firewalls. Include tests for the vulnerabilities in 6.5.1 to 5.5.10 YES YES 11.2 internal and…

Whats the 411 on section 4.11 Managed Service Provider?

While completing a version 3.2 PCI DSS assessment, you will eventually get to section 4.11 titled Managed service providers.  (the section formerly known as 4.12 in version 3.1) Presuming that the assessed entity is a service provider, what constitutes a “managed” service provider? Section 4.11 does not shed much light on the topic.  Time to…

the Council Plans to Publish Scoping Guidance!

The latest news update for QSA’s includes news of an upcoming holiday gift for those in the PCI DSS world! The Security Standards Council plans to publish “Guidance for PCI DSS Scoping and Network Segmentation.”  in December 2016.  The Council informs that the guidance “aims to clarify scoping and segmentation principles provided in the PCI DSS”.…

Redirect, but don’t forget

  Thanks to the PCI Guru for bringing this story to my attention with this post. In the continued vein of “Don’t descope your redirecting ecommerce web server!“, the The Foregenix Digital Forensics and Incident Response Team talks about some of the risks that remain in your ecommerce payment channel, even if you are redirecting, using…