Security Story

PCI requirement 6.2, “Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities” includes the additional note:

“The ranking of vulnerabilities as defined in 6.2.a is considered a best practice until June 30, 2012, after which it becomes a requirement.”

As the summer (at least in the Northern Hemisphere) is almost upon us, this seems like a good time to remind ourselves what this deadline means to your PCI compliance activities.

Here are the details, as supplied by the PCI SSC.

After June 30, 2012, organizations will be required to assign risk rankings to newly detected vulnerabilities affecting the … Continue Reading

We’re delighted to announce our latest training schedule, in collaboration with eCard Solutions in Tanzania.

“Delve right into PCI DSS like never before. eCard Solutions Ltd in collaboration with Ambersail Assured is proud to present a ‘first-of-its-kind’ PCI DSS Training in Tanzania. The training programme has been specifically crafted with the needs of the market in mind whilst also focusing on the different perspectives required for PCI DSS from the various disciplines of an organization.”

Read more at http://www.ecardsolutions.com/pcidsstraining/

One of the great challenges of PCI compliance (or indeed any other compliance activity) is understanding the jargon. Qualified Security Assessors (QSAs) talk extensively about “validation”, “assessment” and “evidence” all day long, but sometimes the reasoning behind these terms is obscured.

Part of the issue here is that statements can be made behalf of products or services claiming that they are “PCI Compliant”. However such claims need to be assessed carefully.

For example, do you know why you should be seek further information when a software vendor states categorically that their log management/file transfer/integrity monitoring/etc software is PCI compliant? (hint: there is … Continue Reading

The PCI DSS is a security standard that embodies a number of underlying principles. What are these principles?

As with all PCI compliance questions, the answers usually lie in understanding the intent behind the requirements of the standard.  Although there are many individual requirements detailed within in the PCI DSS, collectively they are based upon a number of sound security principles. Here are eight of them.

1. Least privilege.  Did you ever delete something by accident?  In any secure environment, this principle is as much about restricting access as it is about saving you from yourself. All administrative privileges should be used only … Continue Reading
   

A recent article in the Irish Times describing a breach of sensitive data highlights two important security points.

1. Storing sensitive customer information on multiple mobile devices should be challenged as a genuine business requirement.
2. Laptop encryption software is relatively cheap and easy solution to implement, at least on a small scale.

By implementing an inexpensive disk encryption product and implementing policies and procedures regarding sensitive data and the use of home worker PCs/Laptops, all the bad publicity  and expense could have been avoided.

Read more about the incident here.

The SSC has informed us that the PA-DSS Program Guide v2.0 and Attestation of Validation (AOV) v2.01 are now available for immediate use.

These document updates are primarily about alignment and clarification. They don’t represent a change to the PA DSS standard.

Software vendors will be particularly interested in the pricing guide which details the fees charged by the PCI SSC for listing applications, and the associated transition FAQ.  Amongst the changes contained within the new Program Guide are details of “minor change” classifications, now referred to as “No-Impact”, “Low-Impact” or “High-Impact”.  In short, … Continue Reading

Choosing the right Self Assessment Questionnaire (‘SAQ’) can be a very tricky task, especially for merchants with multiple payment channels. PCI SSC introduced five different SAQs:

1. SAQ A - Card-not-present Merchants, All Cardholder Data Functions Outsourced.
2. SAQ B –  Merchants with Only Imprint Machines or Only Standalone, Dial-Out Terminals. No Electronic Cardholder Data Storage.
3. SAQ C – Merchants with Payment Application Systems Connected to the Internet, No Electronic Cardholder Data Storage.
4. SAQ C-VT – Merchants with Web-Based Virtual Terminals, No Electronic Cardholder Data Storage.
5. SAQ D – All Other Merchants and All Service Providers Defined by a Payment Brand as Eligible to Complete an SAQ.

Merchants are eligible to complete … Continue Reading

Top 10 things you can do to make PCI compliance easier.

As a QSA company working with many merchants and service providers, common themes emerge as our clients strive to achieve PCI compliance.

1. Establish your CDE (card data environment). PCI  is about the storage, processing or transmission of payment card data. Any system that does not need to be part of the CDE must be separated from it.
2. Look for opportunities to reduce the size of your CDE. For example, if you’re using a 3rd party  e-commerce payment provider, it is possible that no card data needs to be stored, processed or transmitted by your e-commerce system.  Also, did … Continue Reading
   

2011 featured plenty of news about high-profile data loss and cybercriminal activity. Some common causes emerge in all of these cases. Poorly managed infrastructure, insecure web applications, and a lack of attention to security procedures are often cited.

But how do these conditions arise? How is it possible that otherwise capable and competent organisations fare so badly?

Our work with clients around the World gives us a privileged insight in to the security infrastructure of numerous organisations, from the largest to the smallest, and from the simplest the most complex. In all cases where data loss or compromise has taken place, common … Continue Reading

The cloud may be nebulous, but the security of your valuable data assets should be clearly defined.

We are all seeing a continued movement of services in to the cloud, especially in the Infrastructure-as-a-Service (IaaS) arena. The security issues around cloud computing seem, to us at least, to be similar to the traditional issues – hardening, secure access, patching, vulnerability management, protecting data assets and so on.

The difference in the cloud is the speed and ease with which new server instances can be provisioned, and the level of expertise needed to do so.

If you fail to securely configure and manage your … Continue Reading