PCI DSS version 1.2 differences and updates
Wednesday, October 1st, 2008 Posted in Approved Scanning Vendor, Compensating Controls, Compliance, Merchant, PCI DSS, PCI SSC, Service Provider, Third-Parties, Web Applications, Wireless | 11 Comments »On October 1, 2008 the PCI SSC released version 1.2 of the PCI DSS requirements. There are a number of changes as outlined previously in the update document. The PCI SSC has established a life cycle process that will ensure ...
PCI SSC Clarifies Requirements 6.6 and 11.3
Tuesday, April 22nd, 2008 Posted in PCI DSS, PCI SSC, Web Applications | 15 Comments »Today the PCI SSC issued a press release about their clarification to PCI DSS Requirements 6.6 (web-application firewall vs. secure code review) and 11.3 (penetration testing). If you check the supporting documents section of the website you will find the ...
PCI too prescriptive?
Tuesday, February 6th, 2007 Posted in Compliance, PCI DSS, QSA | 3 Comments »I want to thank Ed at SecurityCurve for posting a clarification on his concerns about PCI. I think his statements are true and something to be discussed. The question is always posed, "Is PCI too detailed or not ...
What should a Penetration Test include?
Monday, November 13th, 2006 Posted in PCI DSS, Third-Parties | 11 Comments »Some people have asked (and others added to the confusion) about what is required by PCI DSS regarding requirement 11.3 requiring an annual penetration test. Here are some answers to those questions? Who? The requirement does not specify who must perform ...
Does Nessus satisfy the vulnerability scanning requirement?
Wednesday, November 1st, 2006 Posted in PCI DSS, Vendors | No Comments »A recent blog post talks about the misconceptions people have about using Nessus in their PCI audits. The question many people have been asking is: "Can I use Nessus to satisfy my scanning requirements?" The answer to this ...
What is an Application Firewall?
Tuesday, September 26th, 2006 Posted in PCI DSS, Payment Applications, Vendors | 3 Comments »The moment news broke of the new PCI Security Standards Council (PCICo) and the addition of requirement 6.6 everyone has been asking, "so what constitutes an application firewall?" Does it have to be an application or appliance? What ...
