PCI: Web Redirection Servers In Scope?

It is possible that web applications previously considered out-of-scope for PCI DSS could now be in-scope under PCI DSS v3. The impact of this could be significant depending on your existing card data environment (CDE). It has long been accepted practice that any component that stores, processes or transmits cardholder data is in scope for… Read more »

The Impotence of Passwords

cyber security

No, that’s not a typo. More evidence has emerged that millions of people  choose poor quality passwords.  This is perhaps less surprising than it is disappointing. Why are we still having this discussion? Why is the most widely-deployed authentication factor in the world so poorly implemented? Unfortunately, the truth lies in the fact that, if… Read more »

10 Ways To Fail Your ASV Scan

“We know that there’s nothing more frustrating than failing your ASV scan.”   But did you know there are 10 reasons why you would automatically fail should the scan make any of the following findings? Operating system versions no longer supported by the vendor. Windows 2000, older Linux distributions. Unsupported, and therefore unpatched. Open access… Read more »

Security & The Short Road To Legacy Systems

“Information security means working with how things are, rather than how you want them to be.”     We’ve all heard the apocryphal tale about the lost traveler asking for directions in a remote country village. You know the one: our traveler is hopelessly lost, the streets are empty. Just as his frustration seems complete, an elderly… Read more »

Payment Cards are Dead. Long Live Payment Cards.

PCI DSS compliance logo credit cards

Any payment technology analyst will tell you that the payments market has exploded over the last few years. An explosion sounds great, but it also suggest fragmentation. Which is another way of saying that the customer has a confusing array of choices. Not that confusion is anything new. Everyone has, at some point, fumbled through a stack… Read more »

5 Constraints To Security Innovation

“We now have a massive security industry, and hacking and data loss is a bigger issue than ever before”   The great thing about the information security field is that it constantly re-invents itself, or at least it tries to. In truth, real innovation is rare, and recyling is common. Developments in information security are… Read more »

Security News Roundup: Defending The Indefensible

Here’s a data security conundrum. The news that anonymous DNA sample data has been used to personally identify the original donor sounds, at first, like an information security problem. The reality is, it isn’t.  A team of geneticists has shown there is a systematic weakness in the way that this data is handled. It turns out… Read more »

Cheat Sheet: Virtual Web Application Patching

Do you operate public-facing web applications in your card data environment? Here’s a pointer to a great source of information from the Open Web Application Security Project (OWASP) on the subject of virtual patching. What is virtual patching? Within the context of web vulnerabilities, this refers to the practice of applying a defensive layer to intercept… Read more »

Security News Roundup: Can You Hear Me Now?

Sometimes, the price of success is unwanted attention. Witness the apparently stratospheric rise in malware on the Android mobile platform. With mobile usage continuing to explode, coupled with the vast array of valuable data we store and access from our phones, it should come as no surprise that the  bad guys want a piece of… Read more »

Security News Roundup: The Demise Of The Human

With the US version of the RSA conference in full swing this week, we’re pleased to be able to present some signal despite the noise. It turns out that China is being hacked by the US. There, we said it. As they say, it takes two to tango, so we presume this comes as no great… Read more »