Placement of Exchange FE/CAS Servers in a PCI Compliant Environment
A client asked a great question, and I wanted to share this with others who may be facing the same challenge… (more…)
PCI Council Releases PCI DSS Tokenization Guidelines
The PCI Security Standards Council has released a new Information Supplement, titled “PCI DSS Tokenization Guidelines” that provides additional clarifications regarding the use of tokenization technologies and services to reduce the scope of PCI compliance. (more…)
SAFE Data Act moves one step closer to becoming law
The SAFE Data Act has taken another step towards becoming the nation’s first federal breach notification law. And as the bill proceeds through the legal process, a debate begins to emerge (imagine that!). There is a lot of noise being made about the fact that the bill requires notification within 48 hours of a breach. (more…)
OWASP “Cheat Sheets”
Organizations that must achieve and maintain PCI DSS compliance often have difficulty implementing or redesigning web applications to align with the OWASP Top 10. Raul Siles, an OWASP contributor and SANS ISC Handler, has recently posted a OWASP “cheat sheet” for web application session handling that may be useful when designing and/or reviewing web application sessions. (more…)
Hackers Shift Attacks to Small Firms
In 2010, 63% of breach investigations involved companies with fewer than 100 employees – small firms. That’s up from 27% in 2009 – a dramatic increase. (more…)
Reducing the Scope for PCI Compliance
The PCI DSS is comprised of over 200 specific requirements, including technical, administrative and policy controls; for this reason, the first consideration when approaching PCI compliance is determining exactly which parts of the environment have to be included within the PCI compliance scope and which do not, based upon the scoping (more…)
PCI Council Releases Revised PA-DSS Eligibility Criteria
On June 29, 2011 the PCI Security Council released a checklist outlining the types of payment applications that are eligible for PA-DSS validation: (more…)
Understanding Data Tokenization
Data Tokenization Considerations (more…)
