thePCI Portal

Pen Testing for PCI v3.2

Whether you outsource or perform your own penetration tests, you should have a documented penetration testing methodology.  This methodology should: Specify a retention period penetration testing results and remediation activities results. Specify coverage for the entire CDE perimeter and critical systems. (referencing your PCI inscope asset list/inventory is probably a good idea.) Specify the frequency…

PCI DSS compliance for Service Providers

There are 4 generally accepted levels of PCI compliance assessment for a service provider, in ascending order of Service Provider effort:   Compliance Assessment Method Completion and signing Info Annual Service Provider relative effort Annual QSA effort Service provider assessed as part of (each) client’s assessment None May require onsite visit. Hours/days Client’s QSA:  Hours/days…

Supplementary validation for “designated” entities

Have you ever heard of the supplementary validation for designated entities (a.k.a DESV)? If not, you should be happy.  According to the Council’s FAQ for designated entities, “A Designated Entity is determined by an Acquirer or Payment Brand as an organization that requires additional validation to existing PCI DSS requirements. “ Organizations that view PCI…

Does using telnet for admin always require at least a compensating control?

The PCI Guru has an article about an issue with PCI DSS requirement 2.3.b https://pciguru.wordpress.com/2017/06/09/we-need-a-change-to-2-3-b/ Reminder of what 2.3.b is about: 2.3.b Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access. And the guidance for 2.3 is: If non-console (including remote) administration…

What is an “Associate QSA”?

Today’s press release from the council announced efforts towards easing the resource constraints felt by QSA Companies. The PCI SSC is developing the Associate QSA certification with the goal of attracting new cyber talent to the program and easing the resource constraints felt by QSA Companies. This project is a first step in a phased…