Control Gap Blog - 12 Tips To Avoid Credit Card Data Breaches
PCI DSS: 12 Requirements to Protect Your Customer’s Credit Card Data
Traditionally, ill-intentioned criminals have targeted banking institutions to reap financial gain....
Posts about:
pci (2)
This Week's [in]Security - Issue 260 | insecurity | Control Gap
PCI DSS v4 is Coming – What Can You Rely On
PCI DSS v4.0 is coming and will bring big changes. The exact nature of the changes aren’t yet available as the standard is still evolving under the PCI Councils Request...
8-Digit BINs and the Great PCI Truncation Reset | pci,blog | Control Gap
Non-Compliance Lesson No. 3: Don't upgrade or patch your old stuff
PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and painful.
- Don’t upgrade your end-of-life software, it’s fine. After all it’s not like you won’t be able to upgrade overnight when a zero-day gets published. Besides the vendor's sure to provide a patch.
- Don’t patch those pesky middle and high-risk items on internal networks. It’s not like an intruder will try and move laterally through your network.
- Ignore those network and security appliances. You didn’t install the OS and who ever heard of firmware vulnerabilities.
- You’re only doing this for a PCI checkbox, your assessor may not notice, and it isn’t like you should be worried about ransomware.
- Sleep better at night, it's run fine for years and just look at all the time, money, and effort you saved.
Non-Compliance Lesson No. 2: Outsource your payments/security and don't read the fine print | blog,pci,humour | Control Gap
PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and painful.
- Assume you can outsource your accountability for security and compliance.
- Assume your service provider does everything for you and don't confirm your responsibilities.
- Change service providers to save money.
- Act surprised when your assessor asks you for your scans, pen-tests, code reviews, patching records, etc.
- Exercise your right to audit clause (if you have one) and include your service providers inside your annual assessment at your cost.
- Due diligence and preparation are just too boring.
Non-Compliance Lesson No. 1: Wait until your assessment to validate scope | blog,pci,humour | Control Gap
PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and painful.
Quantum Cryptography for Risk Managers or Shor, Grover, and the Crypto-Apocalypse | blog,pci,cryptography,quantum | Control Gap
According to some, quantum cryptography will revolutionize cryptography, kill our current ciphers, and reveal all our secrets. But if you're a risk manager, you're likely turned-off by claims of an impending crypto-apocalypse. You want to get past the hyperbole to something you can work with. You will want to know how likely this is, how to sort out facts from spin, what kinds of resources are available, how long you've got to prepare, and what preparation and planning do you need to do. You need to understand that quantum isn't just one thing, one risk, or the only risk. Join us as we break it all down for you.
Why Organizations Need to Become Crypto-Agile and What that Means | blog,pci,cryptography | Control Gap
Cryptographic change is a reality. Since 2006, we have seen the sunset of WEP, SSLv2, RSA-1024, SSLv3 and early TLS. We know that Triple DES and other 64-bit blocked ciphers are on the way out. RSA will likely follow, and our current pre-quantum public key cryptosystems will eventually become deprecated. These changes have impact and require widespread coordination. Old software and hardware will need to be upgraded or replaced. It will require time, effort, money, and pro-active management. Simply reacting will be risky, painful, and expensive. Industry needs to learn from past changes so that organizations can be ready. Most importantly, we need to do better than we have done in the past. But how?
Why did my PCI DSS Scope Explode?
It can be extremely frustrating for a compliance team to realize that additional systems are in-scope. It means additional and unexpected security controls and validation. The most stressful time of year for PCI compliance staff, during an onsite assessment, is the worst time to discover new scope. Yet, this problem affects many organizations. Report on Compliance assessments often uncover these unknown scope components, so you are not alone if this happened to you.