thePCI Portal

Category: PCI DSS

from /r/pcicompliance – help with anti-virus, Firewall and Audit Logs

Just a random question from /r/pcicompliance. PCI Compliance – help with anti-virus, Firewall and Audit Logs Curious if anyone has affordable solutions for anti-virus software, firewall and audit logs. Trying to help two retail stores become compliant. They use a POS software (that is itself PCI Compliance). They have macbooks at each location to swipe…

Rogue Wireless AP detection

Technical solutions exist to automate the process of detecting unauthorized wireless access points on a network.  These solutions generally work by monitoring radio frequencies to detect new wireless networks and/or monitoring the wired network for wireless access points.   Sometimes these features are built into the same equipment that provides the authorized wireless networks.  A manual…

Pen Testing for PCI v3.2

Whether you outsource or perform your own penetration tests, you should have a documented penetration testing methodology.  This methodology should: Specify a retention period penetration testing results and remediation activities results. Specify coverage for the entire CDE perimeter and critical systems. (referencing your PCI inscope asset list/inventory is probably a good idea.) Specify the frequency…

PCI DSS compliance for Service Providers

There are 4 generally accepted levels of PCI compliance assessment for a service provider, in ascending order of Service Provider effort:   Compliance Assessment Method Completion and signing Info Annual Service Provider relative effort Annual QSA effort Service provider assessed as part of (each) client’s assessment None May require onsite visit. Hours/days Client’s QSA:  Hours/days…

Supplementary validation for “designated” entities

Have you ever heard of the supplementary validation for designated entities (a.k.a DESV)? If not, you should be happy.  According to the Council’s FAQ for designated entities, “A Designated Entity is determined by an Acquirer or Payment Brand as an organization that requires additional validation to existing PCI DSS requirements. “ Organizations that view PCI…

Does using telnet for admin always require at least a compensating control?

The PCI Guru has an article about an issue with PCI DSS requirement 2.3.b https://pciguru.wordpress.com/2017/06/09/we-need-a-change-to-2-3-b/ Reminder of what 2.3.b is about: 2.3.b Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access. And the guidance for 2.3 is: If non-console (including remote) administration…

Best Practices for Securing eCommerce Information Supplement

Best Practices for Securing eCommerce Information Supplement is a great doc full of comprehensive info! The objective of this information supplement is to update and replace the PCI DSS E-commerce Guidelines published in 2013. Its a comprehensive 64 page document.  Useful info for anyone who does or is considering e-commerce.  A couple of the tidbits…

The significance of change

  A significant change triggers several required action for PCI DSS compliance. PCI DSS Requirement Annual Significant Change 6.6 •          Web application vulnerability security assessments, AND/OR •          Automated technical solution that detects and prevents web-based attacks, such as web application firewalls. Include tests for the vulnerabilities in 6.5.1 to 5.5.10 YES YES 11.2 internal and…