PCI DSS V3.2 Requirement 8.2.3 requires 7 character long passwords 8.2.3 Passwords/passphrases must meet the following: Require a minimum length of at least seven characters. Contain both numeric and alphabetic characters. Alternatively, the passwords/ passphrases must have complexity and strength at least equivalent to the parameters specified above. I think its reasonable that…
I think that everyone would agree that the a service provider does not necessarily have to be independently “assessed” as PCI DSS compliant. They could also be assessed as part of the assessed entity’s assessment. But do they need to be “assessed” or “compliant” at all? I think its a risk based decision that depends on…
Some of the simple common questions regarding what is allowed for multifactor authentication are answered in FAQs from the Council. Some of the more complex ones aren’t and need technical expertise to answer, sorry. FAQ 1425: Is “two-step” authentication the same as “two-factor” or “multi-factor” authentication? Answer summary: NO FAQ 1449: Is two-step authentication acceptable…
Technical solutions exist to automate the process of detecting unauthorized wireless access points on a network. These solutions generally work by monitoring radio frequencies to detect new wireless networks and/or monitoring the wired network for wireless access points. Sometimes these features are built into the same equipment that provides the authorized wireless networks. A manual…
Whether you outsource or perform your own penetration tests, you should have a documented penetration testing methodology. This methodology should: Specify a retention period penetration testing results and remediation activities results. Specify coverage for the entire CDE perimeter and critical systems. (referencing your PCI inscope asset list/inventory is probably a good idea.) Specify the frequency…
Hopefully your work is complete (or well underway!) to move from SSL/early TLS to a more secure encryption protocol June 30 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged). And while you are at it, double check to…
Have you ever heard of the supplementary validation for designated entities (a.k.a DESV)? If not, you should be happy. According to the Council’s FAQ for designated entities, “A Designated Entity is determined by an Acquirer or Payment Brand as an organization that requires additional validation to existing PCI DSS requirements. “ Organizations that view PCI…
Best Practices for Securing eCommerce Information Supplement is a great doc full of comprehensive info! The objective of this information supplement is to update and replace the PCI DSS E-commerce Guidelines published in 2013. Its a comprehensive 64 page document. Useful info for anyone who does or is considering e-commerce. A couple of the tidbits…
A significant change triggers several required action for PCI DSS compliance. PCI DSS Requirement Annual Significant Change 6.6 • Web application vulnerability security assessments, AND/OR • Automated technical solution that detects and prevents web-based attacks, such as web application firewalls. Include tests for the vulnerabilities in 6.5.1 to 5.5.10 YES YES 11.2 internal and…
The term REPORT FINDINGS HERE occurs 844 times in the version 3.2 ROC reporting template. 939 times in version 3.1 926 times in 3.0 Not once in v2.0 (it had a different format). Some can be filled with as little as two letters: NO Some require several paragraphs. Huh, I thought it was bigger…
