PCI DSS version 1.2 differences and updates
Wednesday, October 1st, 2008 Posted in Approved Scanning Vendor, Compensating Controls, Compliance, Merchant, PCI DSS, PCI SSC, Service Provider, Third-Parties, Web Applications, Wireless | 11 Comments »On October 1, 2008 the PCI SSC released version 1.2 of the PCI DSS requirements. There are a number of changes as outlined previously in the update document. The PCI SSC has established a life cycle process that will ensure ...
Definaitions, Roles and Responsibilities of PCI
Sunday, June 29th, 2008 Posted in Approved Scanning Vendor, Card Brands, Merchant, PCI DSS, PCI PIN, PCI SSC, QSA, pa-dss | 1 Comment »In the payments industry there exists the PCI guidelines. When we refer to PCI we are usually talking about the PCI DSS, although as anyone will tell you there is also the PCI PED, PCI PA-DSS, and others you should ...
Technical and Operational Requirements for Approved Scanning Vendors
Friday, November 2nd, 2007 Posted in Approved Scanning Vendor, Database, PCI DSS, Web Applications | 3 Comments »For some reason, I've run into an inordinate number of questions this week regarding vulnerabilities that weren't addressed directly in the PCI-DSS -- or at least only addressed in a cursory fashion. The document that contains many of these ...
Have you bullied your way into PCI compliance?
Wednesday, September 26th, 2007 Posted in Approved Scanning Vendor, PCI DSS, Vendors | 3 Comments »Much like other professions, end-of-quarter is always an interesting time for anyone who works in the PCI space. Working for an ASV allows me purview into a flurry of activity, as a significant number of merchants invariably wait until ...
Where did the operating system go? Security as a service
Monday, July 2nd, 2007 Posted in Approved Scanning Vendor, PCI DSS, Service Provider, Vendors | 1 Comment »A few weeks back I was invited to the Qualys annual conference in San Francisco. Their theme was Software as a Service (SaaS). No sooner had I returned than CIO Magazine has Software as a Service as their ...
Vulnerability Management Grows Up
Friday, June 29th, 2007 Posted in Approved Scanning Vendor | No Comments »From Dark Reading: JUNE 27, 2007 | Vulnerability management isn't just about slapping on the latest patches anymore. That's because a vulnerability isn't always just a publicly identified bug by Microsoft or CERT. "Vulnerabilities can be problems in configurations, missing patches, software ...
The Spanish QSA
Monday, June 4th, 2007 Posted in Approved Scanning Vendor, Europe, QSA | 6 Comments »If you download the latest QSA list, open it up and do a quick search for "Spain", you'll only come up with one name: Daniel Fernandez Bleda of Isecauditors.com, based right here in my home town of Barcelona. I'd had someone ...
PCI DIY - Cross-Site Scripting
Friday, May 11th, 2007 Posted in Approved Scanning Vendor, PCI DIY, PCI DSS | 1 Comment »You're vulnerable. Really? Don't hold back or anything. How can you be so sure? Because your ASV said so, and if your ASV says so, there's a 99.999% chance that they're right. Pretty-much everyone is vulnerable to XSS in ...
PCI and Microsoft 0-day?
Sunday, April 1st, 2007 Posted in Approved Scanning Vendor, Compensating Controls, PCI DSS | 1 Comment »I'm curious to see if anyone was affected by the 0-day Microsoft vulnerability that was released right before the end-of-quarter. Did your company wait until the last minute to submit their PCI report to their issuing bank (as many companies tend ...
Compliance != Security
Monday, March 26th, 2007 Posted in Approved Scanning Vendor, Compliance, PCI DSS | 22 Comments »Compliance standards -- PCI included -- are intended to foster interest and improvement in data security. While theoretically this seems like a fine idea, in practice the two concepts seem to be continually at odds. The negative ...
