Posts Categorized: pci dss

PCI Self Assessment Pack

"In depth understanding of PCI, very responsive and services at a great price." Chief Technical Officer - Secret Escapes Supporting You Right Through To Successful PCI Self Assessment Where to start? What must I complete to show my company is PCI compliant? Will we be fined for not being compliant? What needs to be scanned?... Read more »

5 Essential Tips For Those New To A PCI Scan

PCI scan for weaknesses

Recently, we have started with a significant number of new clients on ASV scanning projects. This is the PCI scan on networks that needs to be performed by merchants and service providers. Nothing new in that. We have been an ASV for over ten years. What has caught our eye is what has prompted these… Read more »

AMEX PCI DSS Compliant Service Providers

AMEX PCI DSS compliant Service Providers

AMEX now maintains a full list of all PCI DSS compliant service providers. Service providers pay a fee to register, and full details of the scheme are available directly from the AMEX web site.

PCI: Your eCommerce Web Sites Are In Scope

“Essentially, all merchant eCommerce sites that previously escaped mandatory security assessment can no longer be overlooked.” We now anticipate that many small merchants will find their web sites in scope for PCI compliance under PCI DSS v3. We wrote earlier this year concerning the potential for scope changes brought about by PCI DSS v3. Now that the official v3 SAQ documents… Read more »

ROC Reporting Template, PCI DSS V3

The PCI SSC has released the official ROC reporting template for PCI DSS version 3. This is important because it now means that QSA companies such as Ambersail can now conduct on-site assessments using PCI DSS version 3. The reporting instructions are available for public inspection here.

PCI: Web Redirection Servers In Scope?

It is possible that web applications previously considered out-of-scope for PCI DSS could now be in-scope under PCI DSS v3. The impact of this could be significant depending on your existing card data environment (CDE). It has long been accepted practice that any component that stores, processes or transmits cardholder data is in scope for… Read more »

10 Ways To Fail Your ASV Scan

“We know that there’s nothing more frustrating than getting a failure mark on your quarterly scan report.”   But did you know there are 10 reasons why you would automatically fail should the scan make any of the following findings? Operating system versions no longer supported by the vendor. Windows 2000, older Linux distributions. Unsupported,… Read more »

Cheat Sheet: Virtual Web Application Patching

Do you operate public-facing web applications in your card data environment? Here’s a pointer to a great source of information from the Open Web Application Security Project (OWASP) on the subject of virtual patching. What is virtual patching? Within the context of web vulnerabilities, this refers to the practice of applying a defensive layer to intercept… Read more »

PCI DSS Cloud Computing Guidelines

A new guidance document from the PCI SSC provides useful information about the use of Cloud Service Providers (CSPs) and how this may affect PCI compliance. Although cloud computing feels like a new thing, the issues about responsibility for cardholder data are certainly not new. Related issues, such as nebulous (pun intended) statements about PCI… Read more »