For me, 6.1 and its brethren 6.2. Knowing about vulnerabilities and doing something about them! As a QSA, I always knew of a big critical vulnerability in each platform I assessed. A biggie. The worse the better. I poured over samples seeking unpatched devices. Every demo session I would be jotting version numbers down continually…
So you are wondering why you can not find the latest PCI DSS v4 version to participate in the RFC? You meet the criteria as a PO, QSA or ASV, but the document is nowhere to be found in the other PCI portal. Its because access to the RFC is restricted to your organizations’ primary contact. …
My experiences and observations around becoming an Internal Security Assessor. Hi, my name is Marlen, and I’ve been working with a QSA handling PCI Compliance on behalf of my employer, a level 2 merchant retailer of Wine, Beer, Spirits, and as of late, Cannabis (a legal product in our jurisdiction). We are now taking the…
Have you heard of fishbowl? I was recently introduced to it. It bills itself as a way to “Connect and share with people in your industry”. The groups of interest are referred to as “bowls” and there is one for PCI DSS practicioners. Supposedly there is a mechanism for anonymously sharing working conditions (and compensation…
There are many folks in the PCI industry who will soon require a second security certification. For a lot of them, it will mean the pursuit of an auditor certification from this list: ISACA Certified Information Systems Auditor (CISA) GIAC Systems and Network Auditor (GSNA) Certified ISO 27001, Lead Auditor, Internal Auditor 1 IRCA ISMS…
Remain calm. There is no PCI DSS v4.0 yet. But from the recent community meeting it looks like v4.0 will become “objective” based. The new Software Security Framework (aka the S3 Framework) will be the Council’s first take using an “objective” based approach. (The Software Security Framework will incorporate the Payment Application Data Security Standard…
The case against certificates of compliance: They aren’t a real thing. The AOC (attestation of compliance) is a real thing. Please don’t ask your service providers for a certificate of compliance. You will make the PCI Guru angry. He correctly guides us to FAQ 1220 and thinks they aren’t worth the paper they are printed…
Have you ever heard of the supplementary validation for designated entities (a.k.a DESV)? If not, you should be happy. According to the Council’s FAQ for designated entities, “A Designated Entity is determined by an Acquirer or Payment Brand as an organization that requires additional validation to existing PCI DSS requirements. “ Organizations that view PCI…
Today’s press release from the council announced efforts towards easing the resource constraints felt by QSA Companies. The PCI SSC is developing the Associate QSA certification with the goal of attracting new cyber talent to the program and easing the resource constraints felt by QSA Companies. This project is a first step in a phased…
