How much penetration testing and vulnerability scanning does PCI DSS v3 require?
Posts Tagged: compliance
2011 featured plenty of news about high-profile data loss and cybercriminal activity. And so did 2012. Any guesses for 2013? Some common causes emerge in all of these cases. Poorly managed infrastructure, insecure web applications, and a lack of attention to security procedures are often cited. But how do these conditions arise? How is it… Read more »
You might be interested to read the recently published output from the PCI Risk Assessment SIG (Special Interest Group). There’s guidance in there on what constitutes a risk assessment process, and what it should cover. The document makes specific reference to PCI DSS requirement 12.1.2: “12.1.2 Includes an annual process that identifies threats, and vulnerabilities,… Read more »
PCI requirement 6.2 “Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities” includes the additional note: “The ranking of vulnerabilities as defined in 6.2.a is considered a best practice until June 30, 2012, after which it becomes a requirement.” As the summer (at least in the Northern Hemisphere) is… Read more »
One of the great challenges of PCI compliance (or indeed any other compliance activity) is understanding the jargon. Qualified Security Assessors (QSAs) talk extensively about “validation”, “assessment” and “evidence” all day long, but sometimes the reasoning behind these terms is obscured. Part of the issue here is that, statements can be made behalf of products… Read more »
If you can answer “yes” to any of the following questions, then your application is not eligible for validation under PA DSS Is this a beta version of the application? Does the application handle cardholder data, but the application itself does not facilitate authorization or settlement? Does the application facilitate authorization or settlement, but has… Read more »