Security News Roundup: Chinese Take-away

The biggest story this week. Chinese military unit behind ‘prolific and sustained hacking’ says security report.  A highly-skilled team of intelligence gatherers working systematically to steal confidential information from organisations around the globe?  Shocking stuff – we can’t imagine for a moment that our government is doing the same thing. But things move fast in the murky… Read more »

Logging & Top 20 Default Username Attempts

 It’s true to say that default or weak passwords remain a significant cause of compromise and data loss for many organisations. For years, lists of default usernames and passwords have been widely available (and indeed are a useful resource for penetration testers as well as the less ethically motivated). Whilst it’s great to focus on… Read more »

PCI DSS Cloud Computing Guidelines

A new guidance document from the PCI SSC provides useful information about the use of Cloud Service Providers (CSPs) and how this may affect PCI compliance. Although cloud computing feels like a new thing, the issues about responsibility for cardholder data are certainly not new. Related issues, such as nebulous (pun intended) statements about PCI… Read more »

ATM & E-Commerce Security Guidelines

A couple of new information supplements have been released by the PCI SSC, covering E-commerce and ATM PIN security. “PCI DSS E-commerce Guidelines”  contains a nice summary of common E-commerce models, vulnerabilities and some recommendations too. From the intro: “This Information Supplement is intended for merchants who use or are considering the use of e-commerce technologies in… Read more »

Barclaycard Risk Reduction Programme Position Statement

Barclaycard has issued the following positioning statement regarding the Barclaycard Risk Reduction Programme and it’s relationship with the PCI DSS and participating card schemes (Visa, Mastercard, Amex). If you’re a Barclaycard merchant participating in the BRRP, this positioning statement may be of interest to you. If you’d like to find our more about the BRRP,… Read more »

Mastercard Best Practices for Mobile POS Acceptance

Mastercard has released “Mastercard Best Practices for Mobile Point of Sale Acceptance”. If you’re a POS solution developer, you’ll be interested in this document as it provides guidance on how to develop your solution, and if you’re a merchant, it provides you with guidance on the kinds of features your intended mobile POS implementation should… Read more »

ASV Scan Interference

Just a reminder of a regular observation we make when conducting ASV scans. It’s the issue of interference from an IDS or IPS system. Whilst such systems are useful in normal production situations, they must not interfere in any way with the ASV scan. If interference is detected by the ASV scan – we have… Read more »

Video: Penetration Testing & The Cloud

Here’s our short video (less than 10 minutes), ideal for project managers who need to know more about how penetration testing can be used to effectively gauge the security of outsourced cloud environments. Find out more about our penetration testing services.   Related reading: Tips for better mobile app penetration testing.

Which Visa Europe Agent Are You?

Or, where do I register with Visa Europe once I’ve received my completed ROC? So you’re a service provider, you’ve been assessed by a QSA, and now you want some recognition in the form of a public listing on Visa Europe’s list of compliant service providers, or on the new Visa merchant agent listing web site. But which… Read more »

8 Recurring Themes Within The PCI DSS

The PCI DSS is a security standard that embodies a number of underlying principles. What are these principles? As with all PCI compliance questions, the answers usually lie in understanding the intent behind the requirements of the standard. Although there are many individual requirements detailed within in the PCI DSS, collectively they are based upon… Read more »