PCI DSS

Content Security Policy (CSP) HTML Headers

A number of years ago I was trying to renew my subscription to a well-known antivirus tool and found that there were 37 different URLs invoked on the checkout page, including two with .cn TLDs. Needless to say, the renewal didn’t happen.

Read More

PCI DSS

PCI DSS Training Requirements

The PCI DSS standard ostensibly only has a few training requirements which, in my experience, most organizations do a good job of keeping up with. However, there are some not-so-obvious teams which get regularly overlooked with regard to training.

Read More

PCI DSS, vCISO, Penetration Testing, Security Program

What is “Internal Penetration testing” for PCI DSS requirement 11.3

Introduction PCI DSS requires Internal, External Penetration testing, and Segmentation testing. But these terms are not crisply defined. In fact, “internal” is used elsewhere in the standard (for example internal vulnerability scanning) where it

Read More

PCI DSS

What Constitutes a Primary Function for PCI DSS?

PCI DSS requirement 2.2.1.a says “describe how system configurations verified that only one primary function per server is implemented.”

Read More

PCI DSS

Watch those Vendor Application Change Release Notes like a Hawk!

At a client site recently I was watching a customer service rep as she performed her duties during a PCI DSS interview, and noticed that when she went to add a new payment method, a whole list of saved card numbers (redacted) showed up in the PAN

Read More

PCI DSS

Due Diligence for PCI DSS Vendor Selection

PCI DSS Requirement 12.8 dictates that any organization involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers—must have policies and procedures in place to manage its service providers.

Read More

PCI DSS

PCI DSS - Are Mobile Applications In-scope?

Say you are interested in developing an application that runs on consumers’ devices and this application of yours will be used to accept payment card data. Perhaps, in this hypothetical reality, that you have no idea where your app’s obligations

Read More

PCI DSS

Your 7 Step PCI Compliance Checklist

The journey towards payment card industry data security standard (PCI DSS) compliance can seem daunting. While there are only a handful of top-level tasks to complete, there are dozens of sub-requirements and goals to meet for each, all of which may

Read More

PCI DSS, Security Program

I never touch Cardholder Data - Does PCI DSS Apply to me?

Payment cards have been around a long time, and nefarious schemes to take advantage of them have been around almost as long. Since most people do not read the legal agreements they sign up to, they are unaware of their real responsibilities towards

Read More

PCI DSS

The Best Ways to Maintain Your Organization's PCI DSS Documentation

Becoming compliant with payment card industry data security standard (PCI DSS) protocols can be a time-consuming process — but it’s a non-negotiable security standard required of merchants and other organizations that handle payments card data.

Read More