You are viewing 'PCI DSS'
Additional 24 months allowed for compliance
In April 2015, the Payment Card Industry Security Standards Council (PCI SSC) released version 3.1 of the PCI Data Security Standard (PCI DSS), only four months after version 3.0 went into full effect. The most important changes are in the communications protocols SSL (all versions) and TLS (version 1.0). These protocols are now considered insecure. They are vulnerable to well-known exploits such as Heartbleed and POODLE.
The PCI deadline for migrating to newer, more secure protocols was originally June 2016. This gave organizations 14 months to address the changes. The generous schedule was an acknowledgement of real-world staffing and budget concerns, despite the fact that the... read more >
12th Consecutive Year as an ASV
Solutionary is pleased to announce that we have successfully completed the annual Payment Card Industry Approved Scanning Vendor (PCI ASV) lab certification test process for 2015-2016. This marks our 12th consecutive year as a PCI ASV. Solutionary has been helping clients remain in compliance with payment card standards as a certified scanning assessor prior to the formation of the PCI Security Standards Council (SSC) in 2006. As discussed in our previous blogs about our PCI certification, we do this every year not because we have to, or because clients have asked us to, but because is it the right thing to do and it will make our client’s lives easier. In addition, this year Solutionary not only successfully completed the PCI ASV certification, but we completed it using two separate unique platforms to give clients the flexibility of using different scan platforms. Sometimes you need a hammer, sometimes you need a... read more >
Compliance doesn’t equal security
Security enables the continued success of any compliance program, not the other way around. If an organization chooses to do the bare minimum for security, then they should (in theory) expect a maximal impact as a result of a breach.
Take a moment and think about 2014, “The Year of the Data Breach.” It is highly unlikely that the information security (IS) and information technology (IT) teams in each of the major 2014 breaches were not aware of the vulnerabilities or the poor security architecture. However, was management aware of these vulnerabilities? And if so, what mitigation action did they take to correct those vulnerabilities?
It is crazy to me, as an information security manager at Solutionary, that an organization will wait for a catastrophic event or a third-party review before... read more >
Protecting Credit Card Data and Meeting PCI DSS Requirements
Have you ever walked into a grocery store and found the milk on a shelf next to the mustard? Or while walking the seemingly endless aisles of a supermarket and seen the ice cream next to ice scrapers?
Unless some mischievous kids were having fun, the answer is “of course not.” There's an almost perfect order to the retail store layout, even if it is a bit overwhelming.
Does this look like segmentation?
Not only are the dairy products kept in a somewhat contained area, they are also refrigerated and protected. Do you think it's a coincidence that high-value items like jewelry and electronics are in central locations with lots of lights and minimal visual barriers?
Of course not.
This is done by design. These valuable items are prone to theft so they require an elevated level of visibility and additional protection to safeguard them. Many items are locked away and can only be accessed by... read more >
2015: Year of the ___?
2014 is behind us. Depending on your perspective, 2014 is either known as “The Year of the Data Breach” or the “Year of the Undisclosed Vulnerability.”
According to the Identity Theft Resource Center, there were 761 breaches reported in the U.S. during 2014, with over 83 million records exposed in 2014 (as of December 23, 2014). This is an increase of over 25% over the same timeframe in 2013.
With the seemingly never-ending data breach announcements, the general public has started taking a “so what, it's just another data breach” kind of attitude about data breaches. It’s as if there is now almost an expectation that your data will end up in the... read more >