Merchants should spend more time doing what they are good at—i.e., selling and merchandising—versus trying to keep up with validating and maintaining PCI compliance. How can this be accomplished? Using either an end-to-end encryption (E2EE) or point-to-point encryption (P2PE) solution for each point-of-sale (POS) system eliminates some of the complex hoops that merchants are required…
Read
In part 1 of this blog series, we explored objective standards for evaluating application cipher suites using the National Institute of Standards and Technology (NIST) standard. Reviewing that is not required to continue here. For those of us lucky enough to apply cryptology within a Payment Card Industry (PCI) context, this part is for you….
Read
I have a pretty good gig. I get to see the unique security approaches of dozens of companies every year. Sometimes the things we discuss come up so frequently, they should probably be shared…anonymously, of course. Frequently, folks are tasked with fixing insecure transport security. This is often due to test results from: Introducing new…
Read
In 2019, the Payment Card Industry (PCI) Security Standards Council (SSC) modified the Qualification Requirements for Qualified Security Assessor (QSA) employees. Prior to the modification, the requirements stipulated that QSA employees must hold either an Information Security certification or an audit certification, but now QSA employees must have a minimum of two (2) industry certifications:…
Read
The Endpoint Detection & Response (EDR) and Advanced Threat Protection (ATP) marketplace is abuzz with products that blur the lines of personal firewall, host-based intrusion detection system (IDS) and intrusion prevention system (IPS), anti-virus, system logging, and file integrity monitoring (FIM). These solutions are centrally managed from your web browser and include advanced dashboards for…
Read
There are certain items contained within the 12 PCI requirements that have to be performed based on defined frequencies. In my experience, companies sometimes struggle with adhering to some if not all of these items. There are a number of reasons that this might happen, whether it’s related to employee turnover, unfamiliarity with the items,…
Read
This week I attended the PCI North American Community Meeting. If you are in the payment security space and haven’t been to a community meeting, I would recommend that you put this on your conference schedule. It’s great to connect with like-minded individuals, including card brands, banks, large customers, vendors, and yes, assessors – both internal (ISAs)…
Read
Having completed several PCI-DSS (Payment Card Industry – Data Security Standard) Reports on Compliance (RoCs) over the past couple of years, I have noticed a consistent pattern on the items needed for the 12 requirements. I have found that there are three basic components to most if not all PCI requirements: Documentation (Policies, Standards, and…
Read
What type of emotions are created in you when you hear the term ‘PCI?’ Anxiety? Possibly fear? For some, it may be disgust. Most favorably, some may feel a sense confidence or enthusiasm. Ok, I agree that enthusiasm is rarely listed as an emotion felt when hearing the term ‘PCI,’ although there may be someone…
Read
Version 3.2.1 of the PCI DSS was just released by the PCI Security Standards Council (PCI-SSC). As a minor version, it primarily included clarification updates and one correction to a requirement reference. Most of the changes center around the removal of the January 31st date, which expired this year. Appendix A2.1-A2.3 was updated to focus…
Read