PCI DSS version 1.2 differences and updates
Wednesday, October 1st, 2008 Posted in Approved Scanning Vendor, Compensating Controls, Compliance, Merchant, PCI DSS, PCI SSC, Service Provider, Third-Parties, Web Applications, Wireless | 11 Comments »On October 1, 2008 the PCI SSC released version 1.2 of the PCI DSS requirements. There are a number of changes as outlined previously in the update document. The PCI SSC has established a life cycle process that will ensure ...
Verify that Compensating Controls work
Tuesday, June 10th, 2008 Posted in Compensating Controls, Merchant, QSA, Service Provider | 1 Comment »If you build a new deck in your backyard, would you test it out before inviting your friends and family over for a bar-b-que? Well it turns out that many merchants are documenting compensating controls but not actually testing them ...
Leveraging web application scanners for PCI compliance
Monday, October 15th, 2007 Posted in Compensating Controls, Web Applications | 4 Comments »Several people have written in to ask me about the different web application scanners and their applicability to PCI. One should remember that there are several requirements that a web application scanner could use used for, mainly 6.5, 6.6, ...
Documenting compensating controls
Tuesday, August 21st, 2007 Posted in Compensating Controls | No Comments »As many of you know by now, when meeting a PCI control requirement with a compensating control two things should happen: The control should be marked "In Place" with a comment added that it is being met with a compensating control, ...
Standards for the Standard?
Saturday, July 28th, 2007 Posted in Compensating Controls, QSA | 3 Comments »PCI is confusing. The requirements themselves are simple enough, and aim to strike a balance between business objectives and prescribing network topology. I have found it a useful guideline at CSO-level, even when engineers find it a little frustrating, and ...
Understanding Compensating Controls
Thursday, June 21st, 2007 Posted in Compensating Controls, Encryption | 5 Comments »Mike Rothman of Security Insight regularly links to our blog so we figure it's time we return the favor in an article on compensating controls. I should first point out that we have written on PCI compensating controls in ...
Ten Commandments of PCI
Thursday, May 24th, 2007 Posted in Compensating Controls, PCI DSS | 2 Comments »While listening to the This American Life episode of the Ten Commandments, I'm thinking about the ten commandments of PCI. I would like to know what your PCI "commandments" are, but here are mine. Thou shalt comply with PCI. All ...
PCI and Microsoft 0-day?
Sunday, April 1st, 2007 Posted in Approved Scanning Vendor, Compensating Controls, PCI DSS | 1 Comment »I'm curious to see if anyone was affected by the 0-day Microsoft vulnerability that was released right before the end-of-quarter. Did your company wait until the last minute to submit their PCI report to their issuing bank (as many companies tend ...
Bootable POS systems are the future of retail
Monday, March 26th, 2007 Posted in Compensating Controls, Merchant, Payment Applications, Point of Sale | 5 Comments »I was talking with someone (at this age I forgot who) about compensating controls for file integrity monitoring and they suggested a bootable point of sale (POS) system with read-only access. What an excellent idea, and if it was ...
Compliance through compensating controls
Wednesday, February 28th, 2007 Posted in Compensating Controls, Compliance | 1 Comment »I agree with Michael that security is not seasonal but feel a little education is needed for the other Mike when it comes to his views on compensating controls. I used to be in the criticize-and-critique camp, but that was ...
