Posts by Didier Godart

1 min PCI

New version of the PCI Compliance Dashboard

The idea behind the PCI Compliance Dashboard is to provide you with one unique document to manage your PCI journey. I want to avoid you having to open multiple PDF documents to get all the information you need. Many of you suggested to add an executive summary part. This is now done! What's new? To this end, the new version of the PCI Compliance Dashboard includes: * * * * An "Executive Summary" showing your progress along your PCI journey. The Executive summary takes into ac

3 min PCI

PCI 30 second newsletter #13 - Compensating Controls: Magic Trick or Mirage?

There are circumstances where companies could face some technical or business impediments preventing them from implementing the requirements as explicitly stated in the standard. Does this mean that these companies could never achieve and maintain compliance? There is a common misconception that organizations must meet the requirements as they are written. This is not the case. The important thing is that the inherent security objectives behind each requirement are met. The PCIco and the Pa

1 min PCI

PCI Compliance Dashboard - New version available

Hi, The new version of the PCI Compliance Dashboard is there. Now including the PCI-SANS Top 20 Critical Security Controls matching matrix. What's New? * Add a table of content and navigation links * Add a "Scope" sheet allowing you to define the Card Data Environment (CDE) * Update the Executive summary showing your progress on your PCI compliance journey based on the selected merchant type * Add the option to hide/unhide non applicable requirements associated to the selected Me

3 min PCI

Thoughts on the Verizon 2011 PCI Compliance Report

If you ever try to get data about the compliance rate from the PCIco or the Payment Brands you would know how challenging it is: probably more challenging than finding the Holy Grail. So in this context, the release of the Verizon 2011 Payment Card Industry Compliance Report [http://www.verizonbusiness.com/resources/reports/rp_2011-payment-card-industry-compliance-report_en_xg.pdf] is quite enlightening for the security industry and merchant community. It gives us a good sense of the reality of

1 min

Can I use compensating controls to resolve vulnerabilities found during a scan?

Resolving vulnerabilities found during a scan before a passing scan result can be issued is not always immediately possible, and sometimes the only possible solution is the use of a Compensating Control. Compensating controls are not meant to be the de facto response to an identified vulnerability. Compensating controls may only be employed if a true technical limitation or business need prevents a vulnerability from being corrected. This is most commonly the case for zero-day vulnerabiliti

1 min PCI

What to do if your organization can't demonstrate four passing PCI internal or external scans

Two cases: 1) Your company is assessed for the first time: Entities participating in their first ever PCI DSS assessment are only required to demonstrate that the most recent scan result meets the criteria for a passing scan, and there are policies and procedures in place for future quarterly scans, to meet the intent of this requirement. So to be compliant with 11.2 the first time you are assessed, you only need to demonstrate that the most recent scan is a PASS. 2) Reassessment (from th

3 min PCI

PCI 30 seconds newsletter #12 – Mind The Gap

Once the scope [/2011/07/14/pci-30-seconds-newsletter-9-defining-the-scope-of-the-pci-assessment] of the assessment is determined, our next stop on the PCI roadmap is the gap analysis process. Objective Identify gaps between where we stand and where we want (or need) to be in terms of compliance. This process provides a foundation for measuring the investment of time, money and human resources that's required to achieve a particular outcome; in this case, PCI compliance. Who should perform

2 min PCI

PCI 30 seconds newsletter #11 – Tokenization

Our newsletter #9 [/2011/07/14/pci-30-seconds-newsletter-9-defining-the-scope-of-the-pci-assessment] about PCI scoping introduced “tokenization” as one acceptable technique to reduce the scope of the cardholder data environment or CDE. Let's clarify this concept in this newsletter. The concept The concept of tokenization is quite simple to understand: replacing a valuable asset with a non-valuable one. This is the same principle as when a museum uses replicas for public exhibition while kee

2 min PCI

PCI 30-seconds newsletter #10 – The Prioritized Approach

As introduced in our newsletter #8 - DSS in a nutshell [/2011/07/06/pci-30-sec-newsletter-8-dss-in-a-nutshell], organizations subjected to compliance are required to implement more than 200 requirements. With this in mind, achieving compliance could be a painful, long and costly exercise, so it's legitimate to wonder how to approach this. In response, the PCI Council shared their view on the best approach to compliance. They code-named this the “Prioritized Approach”. What is it? A tool to help

1 min PCI

PCI Assessor Update - August 2011 in a nutshell

Hi, The council just released their Assessor update for this month. For your convenience I summarized below the essence of this newsletter. Relevant to All: 1) Assessors may suggest new topic for Special Interest Groups (SIGs) until August 31st. The submission form can be found here. [https://www.pcisecuritystandards.org/pdfs/PCI_SIG_Proposal.pdf] 2) Clarification for PCI-DSS 11.1 - Test for the presence of wireless accesspoints and detect unauthorized wireless access points on a quarterly

4 min PCI

PCI 30-seconds newsletter #9 – Defining the Scope of the PCI assessment

Entities subjected to the PCI program have the ultimate responsibility for defining the scope of the PCI assessment.  What does that mean? According to the rules, the PCI scope must encompass all “system components” included in, or connected to, the Cardholder Data Environment (CDE). What is the CDE? The PCIco defines the CDE as the people, processes and system components that store, process or transmit cardholder data or sensitive authentication data. Side note: There is a simple way to

2 min PCI

PCI 30 sec newsletter #8 - DSS in a nutshell

PCI DSS was originally developed by MasterCard and Visa through an alignment of security requirements contained in their respective programs to secure ecommerce: the Site Data Protection for MasterCard and the Cardholder Information Security Plan (CISP) for VISA US. PCI DSS adopts a top down approach. It starts with six high level "goals": a confusing terminology as the unique goal of the program is to protect cardholder data while transmitted, processed and stored by an entity. I would prefer

2 min PCI

PCI 30 sec newsletter #7 - Certification programs, striving for quality

In 2005 - for the first time in history - all major payment brands collaborated together to create a unique set of requirements (PCI DSS) aimed at reducing credit card fraud. As a consequence, we have seen a demand for new security-related solutions and services emerging. We didn't have to wait long to see the security industry respond to this demand, integrating the 3 letter acronym into their marketing plans. Suddenly every security company is a self-proclaimed PCI expert and is offering to

4 min PCI

PCI 30 seconds newsletter N°6 – The Validation Toolbox

PCI is probably one of the few compliance programs out there equipped with a compliance validation toolbox. In this newsletter I would like to briefly cover the content of this toolbox. ASV network vulnerability scans This tool has been specifically designed to help organizations meeting one particular requirement of PCI DSS (11.2.2). "Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SS

2 min PCI

PCI 30 second newsletter N°5 – What's your "type"?

Do not mistake “Levels” for “Types”! In newsletter #4 we saw that the payment brands classify organizations accepting and processing credit cards into “levels.” Levels are related to the number of transaction processed annually on the payment brand networks and are used to indicate what compliance validation procedures and reporting requirements targeted entities are expected to complete. So, pay attention: do not mistake “levels” for “types," which is another classification used in the context