Jan 17 2009 8:00PM GMT
Posted by: Charles Denyer
sas 70 audits,
sas70,
PCI DSS,
payment card industry data security standards,
pci compliance,
two-factor authentication for pci dss,
change mangement for pci dss
Regarding PCI DSS, as a PCI QSA i’m often asked what’s the most difficult hurdle that organizations need to overcome for ensuring PCI DSS compliance. Well, we could talk at length about some of the technical, I.T. challenges, such as two-factor authentication, encryption (though not required.lol!). But in all seriousness, organizations are very deficient on having documented policies and procedures in place for their critical infrastructure. From change management to tape/media backup and recovery procedures, many organizations fail to have these very policies and procedures documented in an organizational wide corporate security document, or something of a similar nature, such as online WIKI.
So, why is this such a repetitive and persistent problem for companies? For the most part, it has to do with the lack of expertise in writing these documented policies and procedures along with finding the time to do them. They can be painstakingly slow and arduous to complete. The solution; hire a firm that have experience and expertise in developing and writing policies and procedures for PCI DSS and for any other regulatory compliance mandate your company may encounter, such as SAS 70 audits.
Dec 30 2008 3:21PM GMT
Posted by: Charles Denyer
Security,
SOX,
regulatory compliance,
audits,
payment card industry,
PCI DSS,
PCI,
pci compliance,
SAS 70,
SAS 70 readiness questionnaire,
What is SAS 70?,
SAS 70 checklist,
sas70,
sas70 sample reports,
pci dss qsa,
sas 70 control objectives,
sas 70 type ii,
SAS 70 Type I,
pci assessment,
sas 70 sample report,
sas 70 audit report,
payment card industry data security standards
When ushering in the new year festivities, keep in mind that a number of regulatory compliance issues will be facing your organization also as 2009 looms just around the corner. No, they’re not stocking stuffers, rather, they can be considered expensive, time-consuming, and arduous, to say the least. Here’s your list of 2009 Regulatory Compliance mandates that may very well find there way into your organization.
SAS 70
SAS 70 Type I and SAS 70 Type II audits have become increasingly popular since the advent of Sarbanes Oxely in 2002. Service organizations, third party outsourcing entities, and a slew of other companies have had to grapple with the time and costs associated with this widely recognized auditing standard. If your organization needs to become SAS 70 Type I or SAS 70 Type II compliant for 2009 and beyond, then take time to learn about this specialized auditing standard via the most comprehensive website available on SAS 70 audits, sas70.us.com. You can even obtain a free sample SAS 70 Type II report along with downloading numerous white papers and other expert subject matte on SAS 70 Type I and SAS 70 Type II audits.
PCI Compliance
Payment Card Industry Data Security Standards (PCI DSS) compliance is fast becoming a hot regulatory compliance issue. The major payments brands, such as Visa, Mastercard, American Express, Discover and JCB, have unilaterally agreed on a number of security provisions for the protection of cardholder data. In summary, any entity directly involved in the processing, storage, or transmission of transaction data or cardholder data should be looked upon as a PCI DSS candidate. But what really is PCI and where can you learn more about compliance and what your organization needs to do? Visit pciassessment.org, a comprhensive guide to understanding what PCI DSS compliance is and who is affected.
Dec 30 2008 2:08PM GMT
Posted by: Charles Denyer
payment card industry,
PCI DSS,
PCI,
pci compliance,
pci dss qsa,
pci assessment,
payment card industry data security standards,
pci dss requirement 1.1.1,
pci dss requirement 1.1.2
Is your organization seeking to become Payment Card Industry (PCI) Data Security Standards (DSS) compliant for 2009? Are you a merchant or service provider that is directly involved in the processing, storage, or transmission of transaction data or cardholder data? If you answered yes to these questions, then its time you learn more about PCI DSS compliance and what the road ahead holds for your organization.
First and foremost, PCI DSS compliance is spreading like wildfire, to say the least. From small start up, locally owned companies to large e-commerce entities, PCI DSS compliance is becoming mandatory for every conceivable organization that conducts commerce with payment cards.
To be fair, regulation for PCI DSS compliance was somewhat lax and disjointed in the beginning, but much has changed in the last six months as the major payment brands are starting to push PCI DSS compliance much deeper and in a more transparent way then ever before.
If you want to learn more about Payment Card Industry Data Security Standards (PCI DSS) compliance, then visit pciassessment.org, one of the most in-depth sites currently available for PCI DSS news and information.
2009 is just around the corner, so properly plan for having your organization become PCI DSS compliant.
Nov 23 2008 7:24PM GMT
Posted by: Charles Denyer
regulatory compliance,
payment card industry,
PCI DSS,
PCI,
pci compliance,
SAS 70,
qsa,
pci dss qsa,
policies and procedures,
pci assessment,
sas 70 audit report,
payment card industry data security standards,
pci dss requirement 1.1.2
Payment Card Industry (PCI) Data Security Standards (DSS) compliance for PCI DSS requirement 1.1.2 calls for “Current network diagram with all connections to cardholder data, including any wireless networks” Thus, testing for validating 1.1.2 requires verification “that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data, including any wireless networks.”
Okay, once again here, the key phrase is “current network diagrams”. What does this essentially mean? It means having a subject matter expert within your I.T. department developing a current network diagram and topology documents showing all critical connection points along with a visual of all critical hardware and network components that make up the network topology. More importantly, these diagrams and network topology documents should be current and updated on a quarterly basis to reflect overall changes in the network layout of the organization. Keep in mind that these documents will also be valuable for other regulatory compliance mandates, such as a SAS 70 Type II audit, which many merchants and service providers have to have at some point in their business lifecycle.
And though the requirement for PCI DSS 1.1.2 calls for these network diagrams for only “connections to cardholder data” its a very good and wise idea to draw and map out your organization’s entire network topology. Why? Because it just makes good business sense and again, it helps with other regulatory compliance mandates that your organization may have to endure.
To learn more about SAS 70 audits, visit the official SAS 70 Resource Guide
To learn more about PCI DSS compliance, visit pciassessment.org
Nov 23 2008 7:14PM GMT
Posted by: Charles Denyer
payment card industry,
PCI DSS,
PCI,
pci compliance,
qsa,
pci dss qsa,
policies and procedures,
pci assessment,
payment card industry data security standards,
pci dss requirement 1.1.1
PCI DSS Requirement 1.1.1 calls for “A formal process for approving and testing all network connections and changes to the firewall and router configurations”. Thus, the test to validate this, in accordance with PCI DSS 1.2 standards is to “Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations”. Thus, network connections, firewall rulesets/configurations and settings to routers must be placed in a proactive mode for ensuring continuous protection for the organization. As threats become known and as business needs change, this formal process needs to be documented to address this specifically.
The key phrase here my friends is “formal process”. What does that really mean? It means having documented policies and procedures in place for approving and testing connections/changes to these critical devices. Easier said than done as most organizations do not have the time or resources to formally write out documented policies and procedures. Beware, as this is a very large part of ensuring PCI DSS compliance. To learn more about PCI DSS and documented policies and procedures for PCI DSS compliance, visit pciassessment.org.
Nov 23 2008 7:03PM GMT
Posted by: Charles Denyer
firewalls,
regulatory compliance,
payment card industry,
PCI DSS,
PCI,
pci compliance,
ports,
qsa,
pci dss qsa,
pci assessment,
requirement 1.0,
requirement 1.1,
configurations
Payment Card Industry (PCI) Data Security Standards (DSS) for Requirement 1.1 require organizations to “Establish firewall and router configuration standards”. This requirement falls under the functional area of the overall Requirement 1.0, which states that organizations must “Install and maintain a firewall configuration to protect cardholder data”. So, what does this requirement 1.1 specifically mean and what do merchants, service providers and other supporting organizations need to be aware of? In short, PCI DSS requirements for 1.1 call for organizations to “Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete”. In essence, its a rather straightforward testing approach that requires that configuration standards are commensurate and in line with the business needs of the organization for ensuring that no unwanted or malicious traffic is kept out and that only the traffic designated is allowed through. A PCI QSA can verify this requirement by consulting and inspecting the current firewall settings and configurations. Take note, as all unnecessary ports and configurations should be closed if they are not suitable or conducive to the cardholder environment. To learn more about PCI DSS, visit pciassessment.org
Nov 13 2008 3:28AM GMT
Posted by: Charles Denyer
service providers,
payment card industry,
PCI DSS,
PCI,
pci compliance,
pci dss qsa,
pci assessment,
payment card industry data security standards,
merchants
Are you a merchant or service provider that needs to be Payment Card Industry Data Security Standards (PCI DSS) compliance? Are you an entity directly involved in the processing, storage, or transmission of transaction data or cardholder data? If so, then read on because one of the most important steps for ensuring PCI DSS compliance is done in an efficient manner is to start with a PCI DSS Readiness Assessment. Why? Well, you crawl before you walk don’t you? As with PCI DSS compliance, its not wise to jump right in and obtain an assessment without doing any type of due diligence work on your organization.
One of the main benefits of a PCI DSS Readiness Assessment is the ability to identify gaps, deficiencies, and core weaknesses that will be need to be strengthened and corrected before obtaining any type of PCI DSS assessment from a Qualified Security Assessor Company, commonly known as a QSAC. Learn more about a PCI DSS Readiness Assessment at pciassessment.org
Nov 13 2008 2:53AM GMT
Posted by: Charles Denyer
payment card industry,
PCI DSS,
PCI,
pci compliance,
pci dss qsa,
pci assessment,
payment card industry data security standards,
Minnesota (MN) Plastic Card Security Act
The state of Minnesota recently codified part of the Payment Card Industry (PCI) Data Security Standards (PCI) framework into actual law. Thus, Minnesota has essentially become the first state to codify the PCI standards into actual law; an actual watershed decision to say the least, with many states soon to follow in their footsteps. In fact, Texas and California have taken great interest in PCI, as witnessed by both their respective bodies of legislatures introducing PCI provisions into the Senate and House chambers. Though TX and CA were unsuccessful in passing any actual law that would of become codified, it does signal the growing strength that the Payment Card Industry Data Security Standards (PCI DSS) initiatives are having around the country.
It seems likely that many other states will follow in the footsteps of MN, TX, and CA. Thus, merchants and service providers should be aware that they will be soon, if not already, under the compliance radar regarding PCI DSS compliance.
To learn more about Payment Card Industry Data Security Standards (PCI DSS) compliance, visit pciassessment.org
Nov 12 2008 3:55PM GMT
Posted by: Charles Denyer
service providers,
payment card industry,
PCI DSS,
PCI,
pci compliance,
policies and procedures,
pci assessment,
payment card industry data security standards,
MN plastic card security act,
merchants
If you are a merchant or service organization and need to be payment card industry (PCI) compliant with the PCI DSS provisions, then there are a number of important points you need to know. First and foremost, you need to identify what level you are in accordance with PCI DSS requirements. You can find this information at pciassessment.org.
Second, you will need to find a qualifed QSAC (Qualified Security Assessor Company) that can assist you with all levels of PCI compliance, regardless of what level you fall under. Third, you will need to have the QSAC conduct a PCI DSS readiness for understanding your cardholder transaction environment and what gaps, holes, and deficiencies you may have that could hinder the overall PCI DSS assessment process. Easier said than done? It sure is, as most companies are good at what they do, but are very weak in having documented policies and procedures in place for PCI DSS compliance. I stress this because it is one of the biggest and most often overlooked areas of PCI DSS compliance. While we all get carried away talking about firewalls, routers, anti-virus, DMZ, etc, many times organizations fail to recognize the importance of documented policies and procedures.
To learn more about PCI DSS compliance, visit pciassessment.org
