Posts by Didier Godart

3 min PCI

PCI 30 second newsletter #24 - PCIco strengthens the scoping rules

This page supplements our newsletter #9 - Defining the Scope of the PCI assessment [/2011/07/14/pci-30-seconds-newsletter-9-defining-the-scope-of-the-pci-assessment] In terms of scope definition here is what PCI says: PCI DSS requirements apply to all system components, defined as any network component, server, or application that is included in or connected to the cardholder data environment (CDE). The scope of a PCI DSS assessment could be reduced using adequate network segmentation but wh

2 min PCI

PCI 2013 SIGs NOW Open for PO Votes

Here we are in the last lap for the election of the  PCI 2013 Special Interest Groups. 663 participating organizations [] have until 11:59 p.m. EDT on November 9, 2012 to vote for up to two projects. They can review the proposals and vote for up to two projects on the PO portal In an effort to enrich the community, Rapid7 presents two SIG projects: Internal Scanning and vulnerability management guidelines Context: #11.2 clearl

6 min PCI

PCI 30 seconds newsletter # 23 – Introduction to Risk Assessment

If you went to work this morning, you took a risk. If you rode your bicycle, walked, or drove a car, you took a risk. If you put your money in a bank, or in stocks, or under a mattress, you took other types of risk. If you bought a lottery ticket at the newsstand or gambled at a casino over the weekend, you were engaging in activities that involve an element of chance – something intimately connected with risk. PCI DSS Requirement 12.1.2 requires organizations to establish an annual process t

3 min PCI

PCI 30 seconds newsletter #22 - Don't get lost in translation with Executives. Get them listening.

"I need people and I need funding to do my job properly. Executives don't get it - They want me to bulletproof their systems but don't want to listen". Does this sound familiar? Of course, such moaning fills the room of security gathering sessions such as the any local PCI Community meeting. IT security responsible persons usually point to Executives as a major impediment to their mission. Why is that?  I think that Executives and IT Security DO work toward the same goal: "Securing the busin

4 min PCI

PCI 30 seconds newsletter #21 - "Qualified" internal scanning staff using "appropriate" scanning tools - What does that mean?

Every Customer, (Merchants, Service Providers), should be acquainted with the fact that they must assign their quarterly external scans to an Approved Scanning Vendor certified by the PCI Council. What is less known is that external scans conducted after network changes and in between quarterly scans, as well as quarterly internal scans, may be performed by the company's internal staff as long as they are "qualified" and use "appropriate tools". "Qualified Staff", "Appropriate tools", What does

6 min PCI

PCI 30 seconds newsletter #20 - PCI DSS and SANS Top 20 Critical Security Controls: The Sumo match.

You said "Minimum." Really? How we can be sure that the PCI DSS requirements are sufficient and stay aligned with the evolution of attacks? This is a fair question raised by Mike Mitchell VP global network operations at American Express and chair person at the PCI council. On page 7 of PCI DSS V2 one could read that "PCI DSS comprises a minimum set of requirements for protecting cardholder data, and may be enhanced by additional controls and practices to further mitigate risks." The term “minim

1 min PCI

PCI Compliance Dashboard - New version including SANS Top20 Critical Security Controls

Hi, According to what we are hearing from the field, there are quite a big number out there of active users of this PCI Compliance Dashboard. Encouraged by your feedback and your assitance we worked on this new release. Among other great enhancements it encompasses references to the SANS Top 20 Critical Security Controls. A deeper analysis paper on PCI-SANS matching and deviation areas will follow but for now on, enjoy this new version of the PCI Compliance Dashboard. What's New? * Add a tabl

3 min PCI

PCI 30 seconds newsletter #19 - Your PCI Logbook - What is required in terms of log management?

P>D R is a well-known principle in security. It's a principle that means that the Protective measures in place must be strong enough to resist longer than the time required to Detect something wrong is happening and then React. For example, your door must be strong enough to prevent a malicious individual from getting in for at least the amount time required to detect the incident, alert the police, and have them arrive on site. In this context, log management plays a specific role. It help

3 min PCI

PCI 30 seconds newsletter #18 – What to do if compromised?

Experience and statistics show us that the unlikely happens, we don't know when, we don't know how but we know it will occur. So management should better be concerned by being prepared to face an incident than by being secure. "I'm compliant so I don't care." The above principle has never been so true within the context of PCI where compliance doesn't really shelter organizations from compromises and therefore penalties. Achievement of PCI compliance is a long, costly, and fastidious journey

5 min PCI

Become an Approved Scanning Vendor (ASV) in 3 Steps

If you are working for a security consulting company, having your company certified as an Approved Scanning Vendor (ASV) for the Payment Card Industry Data Security Standard (PCI DSS) can add a lucrative new area to your business. PCI is a worldwide standard that requires companies who accept or process credit cards to comply with certain security standards. One of these requirements is an annual, external vulnerability scan from an authorized scanning vendor, a so-called ASV. In this blog p

4 min

Cyber attack ranked within the top 5 risks in terms of probability

“The more complex the system, the greater the risk of systemic breakdown, but also the greater the potential for opportunity” - Klaus Schwab Founder and Executive Chairman World Economic Forum. The World Economic Forum [] released their Global risks 2012 report, outlining the perceived impact, likelihood and interconnectedness of 50 prevalent global risks ranged in five risk categories:  economic, environmental, geopolitical, societal and technological. In this post I'

5 min

PCI 30 seconds newsletter #17 - Why are my scan reports so thick? - Impact of "potential" vulnerabilities

"My PCI scan report has more pages than the NASA report related to the crash of the space shuttle Columbia". This acerbic statement was made by a merchant complaining about the size of his external scan reports. Verse #11.2 of the PCI data security bible requires organizations subjected to PCI compliance to run internal and external network vulnerability scans at least quarterly on their CDE (card data environment). The PCIco regards risk relating to the internal and external sides of the C

3 min PCI

PCI 30 seconds newsletter #16 - Is your organization behaving like a fashion victim or a clown?

In our last newsletter [/2011/11/28/pci-30-seconds-newsletter-15-nice-look] we discussed the severity of the presence of bugs in software, and how these bugs are handled on the software vendor's side. Now let's discuss the customer organization's side. What can we do about software defects? Software is buggy. This is a fact (see PCI newsletter #14 [/2011/11/14/pci-30-seconds-newsletter-14-the-world-isnt-perfect]). Returning to the analogy of protection gear used in our last newsletter [/2011/

3 min PCI

PCI 30 seconds newsletter #15 - Nice Look!

In the PCI newsletter #14 [/2011/11/14/pci-30-seconds-newsletter-14-the-world-isnt-perfect] we discussed why bugs aren't fixed in software before release. Once software is released and installed within our environment these weaknesses are on our side. Is it a problem? Examples: Let's take the image of a bridge, a strong and proud bridge. Cars are driving through it the whole day without being aware of the presence of a weakness in its internal structure. In appearance, no threat, no risk.

3 min PCI

PCI 30 seconds newsletter - The World Isn't Perfect

According to the 2011 Verizon Payment Card Industry Compliance Report, requirement 11 - "Regularly test security systems and processes" - is the one least met, so I thought I would dedicate a few newsletters to this subject, starting with the definition and source of vulnerabilities. The term "vulnerabilities" is often used in the PCI DSS standard to mean the following (per the definition given by the Council): Flaws or weaknesses which, if exploited, may result in an intentional or unintentio