Welcome to Collaborative Strategy Guild

Where insights are transformed into actions at the intersection of collaboration, information management, security, and business strategy.

PCI: Define your scope

By

So, as promised on Friday, here’s an interesting discussion that Diana brought my attention to the other day.  It’s basically a discussion about how to (ostensibly) eliminate PCI scope – by manipulation of who hosts payment-related HTML forms.  How could that possibly matter, you ask?  More on that in a minute.

The article itself would only be semi-interesting  in and of itself, but what makes it worth reading are the comments.  Comments like the following:

This is stupifying to say the least, that 1) Visa’s own gateway does not understand the idea of PCI Scope, and 2) that the… Continue reading: PCI: Define your scope

July 11th, 2011 | Category: Analysis, PCI, Scope | Leave a comment

Get it while it’s Hot! PCI VirtSIG Analysis

By

After much anticipation, the PCI Security Standards Council released the Virtualization SIG guidance on June 14th. TechTarget asked for my take on the findings:

For years, retailers, merchants and payment service providers have asked the question: Can virtualization be used in a PCI-compliant cardholder data environment (CDE)?

Several qualified security assessors (QSAs) and auditors argued that the PCI DSS “one function per server” requirement (Requirement 2.2.1) rules out virtualization as an acceptable technology in a CDE. Other QSAs, auditors and architects posited the “one function per server” requirement could instead be met by installing one function per virtual machine (VM) server running on top of… Continue reading: Get it while it’s Hot! PCI VirtSIG Analysis

June 30th, 2011 | Category: Analysis, PCI, PCI-DSS, Virtualization, Virtualization SIG | Leave a comment

PCI Compliance: Resources for Solution Providers

By

Overwhelmed by all of the documentation and resources associated with PCI? I have two articles over at TechTarget that untangle levels, special guidance, and other PCI related docs:

PCI Levels, Assessments and Reports

PCI DSS Documentation, Resources for Solution Providers

Continue reading: PCI Compliance: Resources for Solution Providers

June 29th, 2011 | Category: Analysis, Documentation, PCI, PCI-DSS, SC in the news, SIGs | Leave a comment

Trust me, hackers care about compliance (not)

By

This morning, I came across this on Security Park entitled, “Retailers must begin to explore how to become PCI-DSS compliant to avoid being next on the hacker’s hit list”.   Anybody else find this concerning?

The indication seems to be that there is an implied connection between being PCI compliant and being “next on the hacker’s hit list”:

Retailers aren’t giving enough attention to compliance so the execution is poor. SMEs in particular are vulnerable. Larger companies are richer targets, but most have accompanying budgets and IT departments dedicated to protecting their vital customer information. As PCI DSS regulations take hold, fraudsters are targeting less well-defended small businesses.

Are folks still… Continue reading: Trust me, hackers care about compliance (not)

May 31st, 2011 | Category: Analysis, Breaches, PCI | Leave a comment

Questions on PCI – We have answers!

By

After our PCI virtual seminar last week we had so many answers we were not able to address them all during the live Q&A. Asked us to answer them and post them in the Compliance Counselor section of their site – which we did.

So, please to enjoy our 30 answers to your PCI DSS v2.0 questions!

Continue reading: Questions on PCI – We have answers!

March 23rd, 2011 | Category: Addenda, Analysis, Compliance, PCI, PCI-DSS 2.0, Q&A | Leave a comment
« Newer Entries  
  Older Entries »