thePCI Portal

Category: Security Testing

What is your favourite PCI DSS requirement?

For me, 6.1 and its brethren 6.2.  Knowing about vulnerabilities and doing something about them! As a QSA, I always knew of a big critical vulnerability in each platform I assessed.  A biggie.  The worse the better. I poured over samples seeking unpatched devices.  Every demo session I would be jotting version numbers down continually…

Functionality testing to verify that the change does not adversely impact the security of the system

What are Assessor’s thoughts on requirement 6.4.5.3? 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system. 6.4.5.3.a For each sampled change, verify that functionality testing is performed to verify that the change does not adversely impact the security of the system. Thorough testing should be performed to…

Vulnerability scans are not for req 6.1

Requirement 6.1 is my favourite PCI DSS requirement!  No fancy tools required.  No specialized knowledge.  It can be largely executed by a person on the helpdesk.    And the impact to the overall security posture organization can be huge.  More than that expensive network appliance.  More than that fancy SIEM.  More than that overpriced vulnerability…

Rogue Wireless AP detection

Technical solutions exist to automate the process of detecting unauthorized wireless access points on a network.  These solutions generally work by monitoring radio frequencies to detect new wireless networks and/or monitoring the wired network for wireless access points.   Sometimes these features are built into the same equipment that provides the authorized wireless networks.  A manual…

Pen Testing for PCI v3.2

Whether you outsource or perform your own penetration tests, you should have a documented penetration testing methodology.  This methodology should: Specify a retention period penetration testing results and remediation activities results. Specify coverage for the entire CDE perimeter and critical systems. (referencing your PCI inscope asset list/inventory is probably a good idea.) Specify the frequency…