Posts tagged Compliance

2 min Metasploit

PCI DIY: How to do an internal penetration test to satisfy PCI DSS requirement 11.3

If you're accepting or processing credit cards and are therefore subject to PCI DSS, you'll likely be familiar with requirement 11.3, which demands that you "perform penetration testing at least once a year, and after any significant infrastructure or application upgrade or modification". What most companies don't know is that you don't have to hire an external penetration testing consultant - you can carry out the penetration test internally, providing you follow some simple rules: * Sufficie

1 min PCI

PCI Compliance Dashboard - New version available

Hi, The new version of the PCI Compliance Dashboard is there. Now including the PCI-SANS Top 20 Critical Security Controls matching matrix. What's New? * Add a table of content and navigation links * Add a "Scope" sheet allowing you to define the Card Data Environment (CDE) * Update the Executive summary showing your progress on your PCI compliance journey based on the selected merchant type * Add the option to hide/unhide non applicable requirements associated to the selected Me

3 min PCI

Thoughts on the Verizon 2011 PCI Compliance Report

If you ever try to get data about the compliance rate from the PCIco or the Payment Brands you would know how challenging it is: probably more challenging than finding the Holy Grail. So in this context, the release of the Verizon 2011 Payment Card Industry Compliance Report [] is quite enlightening for the security industry and merchant community. It gives us a good sense of the reality of

1 min PCI

What to do if your organization can't demonstrate four passing PCI internal or external scans

Two cases: 1) Your company is assessed for the first time: Entities participating in their first ever PCI DSS assessment are only required to demonstrate that the most recent scan result meets the criteria for a passing scan, and there are policies and procedures in place for future quarterly scans, to meet the intent of this requirement. So to be compliant with 11.2 the first time you are assessed, you only need to demonstrate that the most recent scan is a PASS. 2) Reassessment (from th

3 min PCI

PCI 30 seconds newsletter #12 – Mind The Gap

Once the scope [/2011/07/14/pci-30-seconds-newsletter-9-defining-the-scope-of-the-pci-assessment] of the assessment is determined, our next stop on the PCI roadmap is the gap analysis process. Objective Identify gaps between where we stand and where we want (or need) to be in terms of compliance. This process provides a foundation for measuring the investment of time, money and human resources that's required to achieve a particular outcome; in this case, PCI compliance. Who should perform

2 min PCI

PCI 30 seconds newsletter #11 – Tokenization

Our newsletter #9 [/2011/07/14/pci-30-seconds-newsletter-9-defining-the-scope-of-the-pci-assessment] about PCI scoping introduced “tokenization” as one acceptable technique to reduce the scope of the cardholder data environment or CDE. Let's clarify this concept in this newsletter. The concept The concept of tokenization is quite simple to understand: replacing a valuable asset with a non-valuable one. This is the same principle as when a museum uses replicas for public exhibition while kee

2 min PCI

PCI 30-seconds newsletter #10 – The Prioritized Approach

As introduced in our newsletter #8 - DSS in a nutshell [/2011/07/06/pci-30-sec-newsletter-8-dss-in-a-nutshell], organizations subjected to compliance are required to implement more than 200 requirements. With this in mind, achieving compliance could be a painful, long and costly exercise, so it's legitimate to wonder how to approach this. In response, the PCI Council shared their view on the best approach to compliance. They code-named this the “Prioritized Approach”. What is it? A tool to help

1 min PCI

PCI Assessor Update - August 2011 in a nutshell

Hi, The council just released their Assessor update for this month. For your convenience I summarized below the essence of this newsletter. Relevant to All: 1) Assessors may suggest new topic for Special Interest Groups (SIGs) until August 31st. The submission form can be found here. [] 2) Clarification for PCI-DSS 11.1 - Test for the presence of wireless accesspoints and detect unauthorized wireless access points on a quarterly

3 min Compliance

Disclosure, Destruction, and Denial

A few years ago while I was working at Defense Cybercrime Center (DC3), one of my colleagues Terrence Lillard talked about the DDD triad in regards to what attackers want to do to organization's assets. I haven't heard anyone outside of him using that term, but I think it's worth sharing. I participated in an awesome mini-conference event last week with the Metasploit Developement team and this came up during my talk on Risk Management. When I asked the audience of seasoned security practicioner

4 min PCI

PCI 30-seconds newsletter #9 – Defining the Scope of the PCI assessment

Entities subjected to the PCI program have the ultimate responsibility for defining the scope of the PCI assessment.  What does that mean? According to the rules, the PCI scope must encompass all “system components” included in, or connected to, the Cardholder Data Environment (CDE). What is the CDE? The PCIco defines the CDE as the people, processes and system components that store, process or transmit cardholder data or sensitive authentication data. Side note: There is a simple way to

2 min PCI

PCI 30 sec newsletter #8 - DSS in a nutshell

PCI DSS was originally developed by MasterCard and Visa through an alignment of security requirements contained in their respective programs to secure ecommerce: the Site Data Protection for MasterCard and the Cardholder Information Security Plan (CISP) for VISA US. PCI DSS adopts a top down approach. It starts with six high level "goals": a confusing terminology as the unique goal of the program is to protect cardholder data while transmitted, processed and stored by an entity. I would prefer

2 min PCI

PCI 30 sec newsletter #7 - Certification programs, striving for quality

In 2005 - for the first time in history - all major payment brands collaborated together to create a unique set of requirements (PCI DSS) aimed at reducing credit card fraud. As a consequence, we have seen a demand for new security-related solutions and services emerging. We didn't have to wait long to see the security industry respond to this demand, integrating the 3 letter acronym into their marketing plans. Suddenly every security company is a self-proclaimed PCI expert and is offering to

4 min PCI

PCI 30 seconds newsletter N°6 – The Validation Toolbox

PCI is probably one of the few compliance programs out there equipped with a compliance validation toolbox. In this newsletter I would like to briefly cover the content of this toolbox. ASV network vulnerability scans This tool has been specifically designed to help organizations meeting one particular requirement of PCI DSS (11.2.2). "Perform quarterly external vulnerability scans via an Approved Scanning Vendor (ASV), approved by the Payment Card Industry Security Standards Council (PCI SS

2 min PCI

PCI 30 second newsletter N°5 – What's your "type"?

Do not mistake “Levels” for “Types”! In newsletter #4 we saw that the payment brands classify organizations accepting and processing credit cards into “levels.” Levels are related to the number of transaction processed annually on the payment brand networks and are used to indicate what compliance validation procedures and reporting requirements targeted entities are expected to complete. So, pay attention: do not mistake “levels” for “types," which is another classification used in the context

1 min PCI

PCI 30 seconds Newsletter N°4 - Merchant levels: What, Who and How

In today's post Iwill briefly outline the levels associated with PCI, and more specifically themerchant levels. What is a level? “Level” is a classification of organizations accepting and processing credit cards. They are defined and used by the payment brands to indicate what compliance validation procedures and reporting requirements targeted entities are expected to complete. There is no consensus in this area between payment brands (this would be too easy ) so there are as many levels de