Posts Categorized: PCI Penetration Testing

PCI Penetration Testing

"The service we received from Ambersail was first class, with clear advice and guidance which helped us to rapidly progress through compliance audits to achieve full Level 1 PCI DSS status. We found Ambersail flexible, approachable and easy to work with. Engaging with Ambersail was undoubtedly beneficial to meeting our PCI compliance goals." Director of Technical... Read more »

PCI: Your eCommerce Web Sites Are In Scope

“Essentially, all merchant eCommerce sites that previously escaped mandatory security assessment can no longer be overlooked.” We now anticipate that many small merchants will find their web sites in scope for PCI compliance under PCI DSS v3. We wrote earlier this year concerning the potential for scope changes brought about by PCI DSS v3. Now that the official v3 SAQ documents… Read more »

PCI: Web Redirection Servers In Scope?

It is possible that web applications previously considered out-of-scope for PCI DSS could now be in-scope under PCI DSS v3. The impact of this could be significant depending on your existing card data environment (CDE). It has long been accepted practice that any component that stores, processes or transmits cardholder data is in scope for… Read more »

Cheat Sheet: Virtual Web Application Patching

Do you operate public-facing web applications in your card data environment? Here’s a pointer to a great source of information from the Open Web Application Security Project (OWASP) on the subject of virtual patching. What is virtual patching? Within the context of web vulnerabilities, this refers to the practice of applying a defensive layer to intercept… Read more »

Taming The BEAST

This is a follow-up post to our previous article on the subject. Here we offer technical assistance to those of you trying to fix the BEAST vulnerability, and offer some mitigation practices. The problem revolves around a vulnerability identified years ago in TLSv1 and SSLv3 protocol CBC mode ciphers (the stronger ciphers). This issue was fixed in… Read more »