Blog

Since the SIG for addressing the impact of virtualization in PCI compliance has yet to be published, there has been a mixed reaction to whether or not virtualization SHOULD be used in the cardholder data environment. (more…)

I have had many questions on the topic of compliance for Level II PCI Merchants that are transitioning from a SAQ (self-assessment questionnaire) to an On-site audit with a Report on Compliance (ROC). Many are concerned with the prospect that they are non-compliant with many of the controls and want to know what they should do and what risks they face. (more…)

PCI Compliance Adoption Rates. Visa’s latest report (updated as of June 30, 2010) on the percentage of the current merchant and service provider population currently validated as PCI compliant shows that most companies have now achieved compliance with the PCI Data Security Standard (DSS). (more…)

So I’ll admit I’m relatively new to the PCI Compliance arena. That said, I’ve been working with technology and financial companies for the last 15 years and while I’ve seen topics come & go; PCI Compliance is here to stay. I’ve noticed some commonalities from the folks I’ve spoken with recently and I wanted to share some of my favorites. (more…)

The Payment Card Industry Data Security Standard, or PCI DSS, provides a well-defined list of security requirements, but many organizations are left with more questions than answers when it comes to determining how best to address each requirement in a manner that will be considered acceptable for PCI compliance. (more…)

Incident Response & First Responders. Being in information security sales, we’ve all taken the call from a client who’s been breached.  They’re usually in a bit of panic, high pitched voice, short, staccato sentences.  Best thing to do is calm them down, and advise them they’ve already taken the best first step, which is to call their information security partner!  We’ll throw on our superman (or woman, I’m not biased) costume and be there in 10 minutes! (more…)

A quick Google on “Data Loss Prevention Definition” results in the following definition from a couple different sources: (more…)

Maintaining network documentation for PCI Compliance. The PCI Data Security Standard (PCI DSS) is a set of about 200 prescriptive technical and process-centric requirements intended to help organizations proactively secure credit card data.  Entities that store, process or transmit credit card data, including merchants, service providers and card issuers of all sizes, are required to comply with the PCI DSS. (more…)

One of the common misunderstandings we’ve noticed among merchants is in relation to the proper definition of a PCI Service Provider.  Most companies understand that if they share cardholder data with a third party, that entity is a Service Provider and needs to be covered for DSS requirements 12.8.x.  But there’s another class of Service Providers that often gets overlooked… (more…)

As most people familiar with the PCI Data Security Standard would agree, properly defining scope for PCI compliance is a key success factor in achieving compliance with this challenging set of requirements.  Network segmentation, if properly implemented, can limit the scope of applicability for the PCI DSS to a subset of the network and systems in an organization.  Unfortunately, many companies inadvertantly define the scope for PCI improperly due to some common misunderstandings related to the rules for PCI compliance scope definition. (more…)