Archive for the ‘PCI’ Category

In a video over at the SearchSecurity site, Ed talks about the:

questions that pose the greatest challenge to enterprises as they struggle to interpret the requirements; outlines recent and upcoming clarifications from the PCI Security Standards Council; and discuss strategies used in the field to reduce the complexity.

Does “one function per server” mean that we can’t use virtualization?
Must our penetration testing and/or quarterly scanning cover everything or just the cardholder environment?
If we miss one of our quarterly scans, does that mean we need to wait a full year to be compliant?
The requirements state individuals with a “legitimate business need” can view PANs. What does that mean?

Dan Kaplan has a piece in SC Magazine on the lawsuit being filed against SI/resellers Radiant Systems and Computer World by some restaurants in Louisian and Mississippi.

Dan interviewed me for the piece:

Diana Kelley, founder of consultancy Security Curve, said she understands where the restaurants have a case, considering Visa alerted the two defendants in April 2007 that their systems were non-compliant. The eateries claimed they never learned of the warning, but Kelley said they still are required to perform a PCI assessment, which should have caught the vulnerabilities.

“We’re going to have a judge put some case law on where the accountability does lie,” she said. “It really could change the landscape.”

BrightTalk is hosting a day-long PCI Compliance Summit on October 27th. Looks like they’ve put together a really solid agenda.

Diana will be presenting “Software Security for Compliance, PCI, and Beyond” at 10a Eastern. Please listen in if you have time!

PCI requirement 6 and sub-requirement 6.6 have caused confusion among retailers and merchants trying to understand how best to secure Web-facing applications. In this session, Diana Kelley explains web-application security, PCI requirement 6 and 6.6, and the PA-DSS and why creating secure code is essential to protecting assets. She provides an explanation of how security can be woven throughout the software development lifecycle and explains some of the most common web application security vulnerabilities.

Rob Westervelt interviewed Diana for a piece on Tokenization for PCI Compliance

“It’s a great technology overall, but merchants have to make sure there’s no other instances of PAN data around to really get the full benefit,” Kelley said, adding that PAN data can slip into log files and volatile memory.