The general manager of the PCI SSC, Bob Russo, and CTO Troy Leach were recently invited to present to the US Congress, on the subcommittee “Protecting Consumer Information: Can Data Breaches be Prevented?”. Their statements can be found here: https://www.pcisecuritystandards.org/documents/140202_PCI_SSC.pdf https://www.pcisecuritystandards.org/documents/HMTG-113-IF17-Wstate-RussoB-20140205.pdf Whilst the statements did a good job at supporting the PCI SSC and its […]

It was interesting to note in PCI DSS v3.0, when conducting one of our first v3.0 assessments, that section 3.5.2 refers to a host security module, with regards to protecting data encrypting keys: 3.5.2 Store secret and private keys used to encrypt/decrypt cardholder data in one (or more) of the following forms at all times:

It seems a few service providers are jumping on the bandwagon, getting PCI DSS v3.0 compliant, and then pushing the message out to their potential and existing client bases saying v3.0 is better than v2.0 and that they’re obviously far more secure than other suppliers that only have v2.0 certification. PCI DSS v3.0 and PCI

Last remaining places are available for our December training courses, which are the first instructor-led PCI DSS v3.0 training courses available worldwide since the release of the new standard: December 5 – Introduction to PCI DSS Training Course December 5/6 – 2 day Advanced PCI DSS Training Course

ControlScan, Inc. and 2-sec, Ltd. to Present “Incident Response Plan Toolkit” SIG Proposal at North American, European Payment Card Industry Community Meetings PCI Special Interest Group would improve merchants’ risk preparedness, incident handling                                                                                    ATLANTA and LONDON, Sept. 12, 2013 – Payment security and compliance solution provider ControlScan, Inc., and  security testing, QSA, PA-QSA

The PCI SSC announced draft changes for PCI DSS v3.0 and PA-DSS v3.0 this week. Whilst for most QSAs this shouldn’t come as a surprise, what the standard will do is offer improved guidance for those whom are self assessing, to help ensure the intent of the standard is better understood by the merchant community.

We’ve been doing a few data centre audits as of late, and most entities seem to think just because they have CCTV at their co-location data centres, they meet the compliance requirements of PCI DSS. You’ll note from wording that access control systems need to be MONITORED.  If you’ve a data centre with a few

I came across an interesting interpretation of PCI DSS recently, whereby a Merchant thought that just because they had been assessed compliant against PCI DSS, then all assessed payment channels also met the security requirements of Visa Operating Regulations. SAQ-C-VT (Virtual Terminal) is a standard that can be used to assess card-not-present and card-present transactions

It is well known there is a low barrier of entry for a security company to become a certified QSA Company (QSAC). As long as a reasonable amount of security experience can be documented and an annual fee paid, the resultant QSA examinations are trivial to pass.  This unfortunately leads to a market that is