Secure Payments, PCI DSS, Regulatory Compliance Blog

Author Archive

Standards for the Standard?

Saturday, July 28th, 2007 Posted in Compensating Controls, QSA | 3 Comments »

PCI is confusing. The requirements themselves are simple enough, and aim to strike a balance between business objectives and prescribing network topology. I have found it a useful guideline at CSO-level, even when engineers find it a little frustrating, and ...

The Spanish QSA

Monday, June 4th, 2007 Posted in Approved Scanning Vendor, Europe, QSA | 6 Comments »

If you download the latest QSA list, open it up and do a quick search for "Spain", you'll only come up with one name: Daniel Fernandez Bleda of Isecauditors.com, based right here in my home town of Barcelona. I'd had someone ...

Hardware Security Modules: part II - why do I need an HSM?

Friday, May 11th, 2007 Posted in Encryption, PCI DSS | 4 Comments »

History HSMs have been around for a number of years, but were not an immediate commercial success. Eracom produced an HSM as early as 1983, about which I can find little detail, but am assured that it was secure, tamper-proof, used ...

Hardware Security Modules: part I - the basics

Thursday, May 10th, 2007 Posted in Encryption | 7 Comments »

HSMs and PKI are pretty big subjects, and putting every piece of information about them into a blog post would make it fairly unreadable. What follows is therefore a basic primer of information you will need to understand before I ...

PCI catches some problems

Thursday, May 3rd, 2007 Posted in Compliance, PCI DSS, Vendors, Web Applications | 5 Comments »

RSnake at Dark Reading has written a nice little article about XSS and PCI. Unfortunately he then goes and spoils all the good work by saying how you can fix application vulnerabilities with WAFS. Urgh. I've read a lot recently about ...

Integrity for PCI

Thursday, May 3rd, 2007 Posted in Audit log, PCI DSS, Vendors | 8 Comments »

It's not everyday you get to see yourself in print, this is why we blog. It takes a special kind of self-interest to maintain a blog, and an almost blind faith in what you are saying. That's why I always ...

Do NOT read this post

Sunday, April 29th, 2007 Posted in Compliance, Europe, PCI DSS | 16 Comments »

I'm in 2 minds whether to write this post because it feels like I'm encouraging non-compliance to a degree, but I've been thinking hard about this disclosure stuff recently, and recall the conversation I had with Kenneth Belva last month. ...

Some disclosure progress

Sunday, April 29th, 2007 Posted in Europe, Government, PCI DSS | No Comments »

I was having a look around to see if I could find any more data on the forthcoming European disclosure rulings that I talked about recently, because it is becoming more apparent just what an effect they will have for ...

Mi casa es su casa

Friday, April 27th, 2007 Posted in Europe, PCI SSC | No Comments »

The last couple of weeks have been a slow easing back into work for me. I've been back in the UK for a month, but getting ready to return to Spain tomorrow. No blog posts for a few days as ...

Just a quickie

Wednesday, April 25th, 2007 Posted in Uncategorized | 2 Comments »

Everyone should read this blog post about a diamond heist in Belgium. Superb reporting of a story which makes a very good point. Nothing to do with PCI. But what it does show is that you can be as compliant ...
« Previous Entries