RE: Implement only one primary function per server
How about considering standard risks likeWeb server and Database server on same systemDatabase and Domain Controllers on same systemetc..
View ArticlePCI Program Development
I am reviewing our current program and hoping anyone can share their current PCI program workflows.Thanks!
View ArticlePA DSS Mandated Training
Is there a list of Training services providers to provide the PCI mandated Training for the Payment Application Vendor personnel as per PA-DSS 5.1.17 and PA DSS 14.1?Thanks in advance
View ArticleHarvesting credit card numbers and passwords from your site
Hacker Noon: "I’m harvesting credit card numbers and passwords from your site. Here’s how." - good reading for everyone working on PCI and much more, post by David Gilbertson. Link:...
View ArticlePCI DSS 3.2 REQUIREMENT 5 SAYS ANTI VIRUS SHOULD B THERE
Hi,PCI DSS 3.2 requirement 5 says that AntiVirus/ anti malware should be on all vulnerable Operating Systems but CyberArk(PIM) team says that system which has CyberArk Vault should not carry the...
View ArticleVulnerability Scan report Or report
Hi Team,One of my customer is facing an issue about the vulnerability scan and its fix. Actually he is using an ASV (approved Scan Vendor) to scan the vulnerabilities within the perimeter and found...
View ArticlePCI-DSS v3.2 and TLS 1.2 or greater :: deadline to update for Merchants
Reaching out for guidance/advice for Merchants updating to TLS 1.2. In the e-commerce arena, did you document any plans? did you complete any specific testing? did you identify customers using outdated...
View ArticlePCI DSS 3.2 REQUIREMENT 11.3.2 SAYS THAT INTERNAL PT
Hi,This is in reference to the PCI DSS 3.2 requirement 11.3.2, says that " INTERNAL PT SHOULD BE DONE AT LEAST TWICE IN A YEAR OR FOLLOWED BY ANY MAJOR CHANGES" Can anyone suggest a open source tool to...
View ArticlePCI and secure email?
Our business, PCI DSS certified, would like to use a PCI compliant email solution to transmit credit card data and remain PCI compliant. Our QSA is highly recommending we avoid this approach "as it is...
View ArticlePCI for Card Production
Hello,I would like to know from experience of someone whom have done a PCI Gap assessment for Card Production Environment. How to go about and how best to conduct an internal PCI assessment for Card...
View ArticleTransferability of the Certification Status
Dear Community Members, A customer of mine (PCI DSS Certified) is currently selling his payment card business (e.g. the payment division) to a third party (not PCI DSS Certified), and I am currently...
View ArticlePCI DSS 3.2 AND WINDOWS REMOTE DESKTOP SSL CERTIFICATE ISSUE
Hello,One of my customer. The system is not part of domain and its Windows 2016 standard version. Remote desktop is enabled on this machine.There are following findings with Qualys scanner as per PCI...
View ArticleProviding card data to law enforcement/legal
Hi allAs a card payment processor we sometimes get involved in assisting local or regional police in fraud and criminal investigations. In such cases we are usually considered as a witness, and our...
View ArticlePCI Inventory and VoIP Systems
We all know that if you take credit card numbers over the phone, your IP based phone system is generally in scope for PCI DSS.My question is when is comes time provide your system/device inventory do...
View ArticlePCI DSS QSA - Servicing markets
I am currently in the middle of an RFP for this years PCI certification and I have a logical confusion in one point. Let me summarize it: -We as a card processing company are located solely in EU...
View Article"Doing Business As" Impacts
We are doing acquisitions of companies that have credit card payment processing. In preparing the merchant accounts for the newly acquired entity, the bank asked whether the newly acquired entity...
View ArticleSSL/TLS 1.1 VERSION IS A COMPLIANT FOR PCI DSS OR NO
Hello Team,I am confused with the SSL/TLS version migration. As per the requirement, my client has upgraded SSL/TLS ver. 1.0 to 1.1 and above. but still the QSA says that even SSL/TLS version 1.1 is...
View ArticlePCI DSS Requirement on Quality Assurance and User Acceptance Testing
Hi all, I have heard from a colleague that testing of a system, say, online banking application should not involve the use of client information (e.g. client accounts, names, etc.). Actually I am not...
View ArticleCredit Card Data Scanning
What are some good tools/software to perform scanning for credit card data (or other sensitive data) within your network? Looking for some options that are easy to implement and intuitive to use. All...
View ArticleISACA launching new online discussion forum
ISACA is launching a new platform to host our Online Discussion Forums soon. We are very excited for everyone to experience the new Engage portal that will include faster load times, better search...
View ArticleISACA communities will be deactivated
The current ISACA communities will be deactivated on Friday, 31 August as we upgrade to our new Engage portal. After that date, you will not have access to past discussions or attachments. Your...
View Article