For me, 6.1 and its brethren 6.2. Knowing about vulnerabilities and doing something about them! As a QSA, I always knew of a big critical vulnerability in each platform I assessed. A biggie. The worse the better. I poured over samples seeking unpatched devices. Every demo session I would be jotting version numbers down continually…
ASV Program Guide v3.1 (July 2018) 5.5 ASV Scan Scope Definition For the purpose of ASV scanning, the PCI DSS requires quarterly vulnerability scanning of all externally accessible (Internet-facing) system components owned or utilized by the scan customer that are part of the cardholder data environment (CDE), as well as any externally facing system component…
If by WAF you mean “an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic”, then we are on the same page! Ryan Barnett wrote about it in 2008 in his Tactical Web Application Security blog . Didier Godart…
Assessed entity question: Can switches get updates from the internet, and remain PCI compliant? QSA’s Sarcastic Question: Where else do patches come from? 🙂 I presume you mean the device actively getting updated from the internet. QSA’s Real Questions: What kind of switches do this? What is the exact mechanism? What is the direction of…
What is the Critical Cybersecurity Hygiene project “Patching the Enterprise”? The objective of this project is to demonstrate a proposed approach for improving enterprise patching practices for general IT systems. Commercial and open source tools will be used to aid with the most challenging aspects of patching, including system characterization and prioritization, patch testing, and…
Requirement 6.1 is my favourite PCI DSS requirement! No fancy tools required. No specialized knowledge. It can be largely executed by a person on the helpdesk. And the impact to the overall security posture organization can be huge. More than that expensive network appliance. More than that fancy SIEM. More than that overpriced vulnerability…
SAQ A for PCI DSS v3.2.1 includes requirement 6.2. So don’t forget that redirecting webserver! So, patch that webserver. How do you verify that patching is happening? Review policies and procedures. Examine system components. Compare list of security patches installed to recent vendor patch lists. Ad below this line:
UPDATED FOR V4! If a merchant is eligible to complete a SAQ-A to report on the results of their compliance assessment, are they required to engage an ASV (approved scanning vendor) to complete external vulnerability scans? YES! V4 clearly includes PCI DSS requirement 11.3.2! (Note the new V4 numbering) Self-Assessment Questionnaire A and Attestation of…
(all info is from Aug 14 2014) 1. How many ASVs are there? 2. How many in the US? 3. How many in the UK? 4. How many ASVs are listed as **In Remediation**? 5. What percentage of Canada’s ASVs are **In Remediation** ? 6. How many different ways can an ASV become **In Remediation**?…
