The PCI Guru has an article about an issue with PCI DSS requirement 2.3.b https://pciguru.wordpress.com/2017/06/09/we-need-a-change-to-2-3-b/ Reminder of what 2.3.b is about: 2.3.b Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access. And the guidance for 2.3 is: If non-console (including remote) administration…
This is an article based on old (2011) data. I used to have a post about it, but I think I lost it during a hosting provider changeover so I am going to rewrite it here referencing the old data for now. In April 2011, Ponemon (and Imperva) published the results of a study…
Best Practices for Securing eCommerce Information Supplement is a great doc full of comprehensive info! The objective of this information supplement is to update and replace the PCI DSS E-commerce Guidelines published in 2013. Its a comprehensive 64 page document. Useful info for anyone who does or is considering e-commerce. A couple of the tidbits…
A significant change triggers several required action for PCI DSS compliance. PCI DSS Requirement Annual Significant Change 6.6 • Web application vulnerability security assessments, AND/OR • Automated technical solution that detects and prevents web-based attacks, such as web application firewalls. Include tests for the vulnerabilities in 6.5.1 to 5.5.10 YES YES 11.2 internal and…
The term REPORT FINDINGS HERE occurs 844 times in the version 3.2 ROC reporting template. 939 times in version 3.1 926 times in 3.0 Not once in v2.0 (it had a different format). Some can be filled with as little as two letters: NO Some require several paragraphs. Huh, I thought it was bigger…
While completing a version 3.2 PCI DSS assessment, you will eventually get to section 4.11 titled Managed service providers. (the section formerly known as 4.12 in version 3.1) Presuming that the assessed entity is a service provider, what constitutes a “managed” service provider? Section 4.11 does not shed much light on the topic. Time to…
The latest news update for QSA’s includes news of an upcoming holiday gift for those in the PCI DSS world! The Security Standards Council plans to publish “Guidance for PCI DSS Scoping and Network Segmentation.” in December 2016. The Council informs that the guidance “aims to clarify scoping and segmentation principles provided in the PCI DSS”.…
Thanks to the PCI Guru for bringing this story to my attention with this post. In the continued vein of “Don’t descope your redirecting ecommerce web server!“, the The Foregenix Digital Forensics and Incident Response Team talks about some of the risks that remain in your ecommerce payment channel, even if you are redirecting, using…
I got tired of hunting these down regularly. Here are the official TLS and SSL reference links in one spot: SSL/Early TLS: Working with an ASV on Failed Scans http://blog.pcisecuritystandards.org/working-with-an-asv-on-failed-scans INFORMATION SUPPLEMENT Migrating from SSL and Early TLS Version 1.0 Date: April 2015 Author: PCI Security Standards Council – Includes: Preparing a Risk Mitigation and…
Dwolla (the online payment system) claimed that it encrypted all sensitive personal information and that its security practices exceeded industry standards and achieved compliance with the Payment Card Industry Data Security Standard (PCI-DSS). Supposedly the (USA) Consumer Financial Protection Bureau thinks that Dwolla failed to employ reasonable and appropriate measures to protect consumer data from…