Posts Categorized: PCI DSS Penetration Testing
… nothing for a few weeks and then three come at once. Last Friday afternoon at the office turned into a somewhat sedate – and welcome – end to the working week. Until I took three sales calls one after each other. Nothing notable about that. What was significant was that all asked about how… Read more »
Ensuring that the Board understands how cyber security risks affect the business – a challenge for all Non-Executive Directors
How much penetration testing and vulnerability scanning does PCI DSS v3 require?
“Essentially, all merchant eCommerce sites that previously escaped mandatory security assessment can no longer be overlooked.” We now anticipate that many small merchants will find their web sites in scope for PCI compliance under PCI DSS v3. We wrote earlier this year concerning the potential for scope changes brought about by PCI DSS v3. Now that the official v3 SAQ documents… Read more »
The PCI SSC has released the official ROC reporting template for PCI DSS version 3. This is important because it now means that QSA companies can now conduct on-site assessments using PCI DSS version 3. The reporting instructions are available for public inspection here.
It is possible that web applications previously considered out-of-scope for PCI DSS could now be in-scope under PCI DSS v3. The impact of this could be significant depending on your existing card data environment (CDE). It has long been accepted practice that any component that stores, processes or transmits cardholder data is in scope for… Read more »
Do you operate public-facing web applications in your card data environment? Here’s a pointer to a great source of information from the Open Web Application Security Project (OWASP) on the subject of virtual patching. What is virtual patching? Within the context of web vulnerabilities, this refers to the practice of applying a defensive layer to intercept… Read more »
Here’s our short video (less than 10 minutes), ideal for project managers who need to know more about how penetration testing can be used to effectively gauge the security of outsourced cloud environments. Find out more about our penetration testing services.
This is a follow-up post to our previous article on the subject. Here we offer technical assistance to those of you trying to fix the BEAST vulnerability, and offer some mitigation practices. The problem revolves around a vulnerability identified years ago in TLSv1 and SSLv3 protocol CBC mode ciphers (the stronger ciphers). This issue was fixed in… Read more »