thePCI Portal

Category: PCI DSS

Whats the 411 on section 4.11 Managed Service Provider?

While completing a version 3.2 PCI DSS assessment, you will eventually get to section 4.11 titled Managed service providers.  (the section formerly known as 4.12 in version 3.1) Presuming that the assessed entity is a service provider, what constitutes a “managed” service provider? Section 4.11 does not shed much light on the topic.  Time to…

the Council Plans to Publish Scoping Guidance!

The latest news update for QSA’s includes news of an upcoming holiday gift for those in the PCI DSS world! The Security Standards Council plans to publish “Guidance for PCI DSS Scoping and Network Segmentation.”  in December 2016.  The Council informs that the guidance “aims to clarify scoping and segmentation principles provided in the PCI DSS”.…

Redirect, but don’t forget

  Thanks to the PCI Guru for bringing this story to my attention with this post. In the continued vein of “Don’t descope your redirecting ecommerce web server!“, the The Foregenix Digital Forensics and Incident Response Team talks about some of the risks that remain in your ecommerce payment channel, even if you are redirecting, using…

TLS, SSL and PCI – The links

I got tired of hunting these down regularly.  Here are the official TLS and SSL reference links in one spot: SSL/Early TLS: Working with an ASV on Failed Scans http://blog.pcisecuritystandards.org/working-with-an-asv-on-failed-scans INFORMATION SUPPLEMENT Migrating from SSL and Early TLS Version 1.0 Date: April 2015 Author: PCI Security Standards Council – Includes: Preparing a Risk Mitigation and…

A new kind of fine related to non-compliance – $100K+

Dwolla (the online payment system)  claimed that it encrypted all sensitive personal information and that its security practices exceeded industry standards and achieved compliance with the Payment Card Industry Data Security Standard (PCI-DSS). Supposedly the (USA) Consumer Financial Protection Bureau thinks that Dwolla failed to employ reasonable and appropriate measures to protect consumer data from…

PCI DSS 3.2

Have you read the PCI Security Standards Council blog post with a version 3.2 Q&A with Chief Technology Officer Troy Leach yet? Some of the highlights include: What’s in 3.2? evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers;…

Remove Protection from Word Document

Have you ever been stymied in copying text or other actions in a “protected” Microsoft Word document?  The kind of documents that are locked forms where you can only position the cursor or enter text in the designated form fields? The document is not encrypted or totally unavailable to you and accessing all of its…

PCI DSS Version 3.0 Retired

PCI DSS Version 3.0 is now retired (June 30 2015)!  Version 3.1 has been effective since April 2015. And this date marks the beginning of the one year countdown for use of SSL and early TLS as a security control (June 30, 2016).  New implementations must not use SSL or early TLS.  For the next…