PCI DSS

Debate on the New Guidance from PCI Council – does it go far enough?

The PCI Security Standards Council has released brand new guidance to advise businesses how they should use penetration testing to identify network vulnerabilities that could be exploited for malicious activity. However, a recent article has been published online by BankInfoSecurity.com (BIS) that appeared to flag up a difference of opinion as to the effectiveness of the new guidance. Whilst one […]

Debate on the New Guidance from PCI Council – does it go far enough? Read More »

Why is POODLE and SSL v3 a problem?

As I’m sure you already know, PCI DSS v3.1 introduces a single change to replace “SSL” with “strong cryptography” in section 4.x. Whilst it might be a single change in PCI DSS, it literally means hundreds of thousands of HTTPS web pages around the world need their underlying web servers reconfiguring to use strong encryption.

Why is POODLE and SSL v3 a problem? Read More »

PCI DSS Compliance – ESSENTIAL tips for SMEs

As a small to medium sized business owner you need to juggle cash flow, credit control, human resources, sales and IT management with fewer resources and a smaller budget than most of the large corporate organisations. If you accept credit card payments, you know you probably have to be PCI DSS v3.0 compliant but lack

PCI DSS Compliance – ESSENTIAL tips for SMEs Read More »

Third Party Security Assurance for PCI DSS

Almost 2 years ago, 2-sec founded the PCI SSC’s Third Party Security Assurance SIG, following the PCI SSC Community Meeting in Dublin. The aim of the SIG was to incorporate third party security assurance guidance into PCI DSS v3.0 and to produce an information supplement. Sounds easy, doesn’t it? But with input from over 200

Third Party Security Assurance for PCI DSS Read More »

Target and Trustwave sued over data breach

News hit the wire today that Target’s acquiring banks have issued another lawsuit against Target, including Trustwave as a co-defendant. This time the banks are trying to recover some costs incurred from Target’s managed data security services provider, presumably for negligence or not detecting the vulnerability and fixing it sooner. This marks new territory for

Target and Trustwave sued over data breach Read More »

The SAQ-A-EP Apocalypse

The PCI SSC recently announced the new PCI DSS v3.0 Self Assessment Questionnaires (SAQs). Of particular interest was SAQ-A-EP, that has enshrined Visa Europe’s original guidance on securing Hosted Payment Pages (HPPs) into PCI DSS v3.0. This of course is a great move for card data security as a whole, but generally bad news to

The SAQ-A-EP Apocalypse Read More »

Your data’s safe with us…

I was visiting an airline site today, and when prompted to enter my credit card details to book the flight, and whether or not I wanted to store my card details for future transactions, saw the note: “It’s safer to store your payment card details in our secure vault than it is to send them

Your data’s safe with us… Read More »

The PCI SSC vs the US Congress

The general manager of the PCI SSC, Bob Russo, and CTO Troy Leach were recently invited to present to the US Congress, on the subcommittee “Protecting Consumer Information: Can Data Breaches be Prevented?”. Their statements can be found here: https://www.pcisecuritystandards.org/documents/140202_PCI_SSC.pdf https://www.pcisecuritystandards.org/documents/HMTG-113-IF17-Wstate-RussoB-20140205.pdf Whilst the statements did a good job at supporting the PCI SSC and its

The PCI SSC vs the US Congress Read More »

Host Security Module and PCI DSS 3.5.2

It was interesting to note in PCI DSS v3.0, when conducting one of our first v3.0 assessments, that section 3.5.2 refers to a host security module, with regards to protecting data encrypting keys: 3.5.2 Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:

Host Security Module and PCI DSS 3.5.2 Read More »

The Cyber Sentinel

Start typing and press enter to search