We all know what risk is. It’s like stepping outside of the house in the morning, looking up at the sky, working out whether or not you think it’s going to rain and then working out whether or not it’s going to rain enough to warrant taking an umbrella, full waterproofs or avoiding the rain […]

If you’re hitting section 5.1.1 of PCI DSS and want to verify that all anti-virus programs detect, remove, and protect against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits), then what do you do? How do you test anti-virus software actually works? I’ve been using the EICAR test

What a great little tool to help verify SSL configurations. If you’re working through PCI DSS and hit section 4.1a, then www.ssllabs.com does a grand job at ensuring your SSL configuration is inline with security best practice. Still not too convinced that I need to ‘sample’ some HTTPS network traffic to make sure it’s actually

Version 2.0 of the Prioritized Approach has been released and is available for download at www.pcisecuritystandards.org. So what’s moved? A number of controls have been moved from milestones 5/6 to milestones 2/4: 9.1 – Physical Access 10.5 – Audit Trail Integrity 11.1 – Wireless Scans 12.5.3 / 12.9 – Incident Response Plan 11.3 – Penetration

Having a poke around recently, it became apparent that there was no clear definition as to what a DSE or a TPP actually ‘is’. Some QSAs have assumed that Third Party Processor (TPP) in effect means ANY payment/transaction service provider and have incorrectly classed entities that service To clarify what a TPP actually is –

The last prioritized approach (v1.2) was released over 2 years ago now. Many have agreed, disagreed, argued (as you might expect with anything PCI related) about which order the controls should be in. The standard “governance” controls we all know and love were pushed into the lowest priority milestone 6 category and odd things like

Just because a network might be ‘private’ in terms of PCI DSS, for example MPLS, IP-VPN, leased line, X.25 et al does NOT mean it is out of scope for PCI DSS. Being ‘private’ negates ONE control, and that is that you don’t need to encrypt traffic that passes over a ‘private’ network (control 4.1).

Reading Uri Rivner’s blog this week (http://blogs.rsa.com/rivner/anatomy-of-an-attack/), RSA have been rather brave to disclose how their systems were recently breached. According to Uri, an Excel attachment with embedded Adobe Flash content was sent to a small group of low profile users within RSA, with the title “2011 Recruitment Plan”. At least one user had opened

Blackfoot have arranged a half-day educational event around PCI DSS in London on Wednesday March 9th from 13:30 to 19:30, where the following speakers will be presenting their views on the topic. The Standard – Jeremy King – PCI SSC The Acquirer – Eamonn Skyrme – RBS Worldpay The Card Scheme – Andrew Mulvenna –