The last prioritized approach (v1.2) was released over 2 years ago now. Many have agreed, disagreed, argued (as you might expect with anything PCI related) about which order the controls should be in. The standard “governance” controls we all know and love were pushed into the lowest priority milestone 6 category and odd things like
Prioritized Approach for PCI DSS Version 2.0 Read More »
Right. Just how many more companies need to lose or have personal data stolen before we get to the point there’s a reasonable chance that x out of y people can no longer use their personal data as unique identifiers, and what exactly is that going to do to the person-not-present industry? We have circa
Calm down dear, only 70m records Read More »
Just because a network might be ‘private’ in terms of PCI DSS, for example MPLS, IP-VPN, leased line, X.25 et al does NOT mean it is out of scope for PCI DSS. Being ‘private’ negates ONE control, and that is that you don’t need to encrypt traffic that passes over a ‘private’ network (control 4.1).
What is a private network in terms of PCI DSS? Read More »
I had a call from O2 today with regards to a phone upgrade. It went something like this: “Hello, is that Mr Tim Holman” “Yes” “You’re phone’s due for an upgrade and I have some fantastic news for you. We can offer you a lower tariff and get you an iPhone 4! Isn’t that great?”
Call centre “Security Questions”? Read More »
Reading Uri Rivner’s blog this week (http://blogs.rsa.com/rivner/anatomy-of-an-attack/), RSA have been rather brave to disclose how their systems were recently breached. According to Uri, an Excel attachment with embedded Adobe Flash content was sent to a small group of low profile users within RSA, with the title “2011 Recruitment Plan”. At least one user had opened
Advanced Persistent Threats and why being PCI DSS Compliant doesn’t help…. Read More »
With the ‘advent’ of ‘cloud’ computing, which in real language means outsourcing using a common, shared contract, many companies are putting their data and absolute faith in the hands of third parties, perhaps without performing the exact same level of due diligence as they might should they ‘insource’. Or Ground Computing as I’ve decided to
It’s no surprise that Infosecurity Europe remains Europe’s No. 1 Information Security Event when there are so many great reasons to attend. Register free to visit and benefit from 3 days of free education, see over 300 vendors and meet with over 12,000 of your peers – all under one roof. The 3 day Keynote
Infosecurity Europe 2011 Read More »
Tim Holman, CEO 2-sec’s hugely popular PCI DSS Masterclass returned for another year at the Infosec show at Earls Court, bringing delegates up to date with the latest changes to PCI DSS v2.0 and penetration test requirements.
Infosec 2011 – PCI DSS Masterclass Read More »
Fresh in the news, Play.com recently warned customers to be “extra vigilant” after a security breach led to the compromise of personal information. No payment card details were understood to have be stolen. “The retailer, which sells music, videos and games, blamed another company that it employs to do marketing.” – http://www.bbc.co.uk/news/technology-12819330 So we’ve got
Play.com warns of customer e-mail security breach Read More »
