Last 50 'Compliance' Tagged Posts

PCI Is Meaningless, But We Still Need It

There's a good rant at informationweek on PCI. "The Heartland Payment Systems breach demonstrates that PCI is bunk. Unfortunately, unless something better comes along, bunk is better than nothing. The PCI compliance program is like a Zen koan: it's a proposition that can't be understood rationally. Unlike a koan, however, pondering on...

Today's the day! PCI DSS section 6.6 is required

"Today, June 30, marks the start of new revisions on the PCI DSS specs. Section 6.6 is now required, specifically companies who deal with credit or debit cards online must use an application layer firewall or have a complete website audit code review to remain PCI compliant. With all the stolen and...

Payment Card Industry (PCI) Mandate Stresses Importance of Web Application Security: Recommended Becomes Required

"On June 30, another refresh of the Payment Card Industry (PCI) Data Security Standards (PCI DSS) will upgrade Web application security testing from a best practice to a mandatory practice. The deadline forces merchants and vendors to take a closer look at application-layer security and emphasizes its importance in fighting increasing online...

PCI DSS compliance: Web application firewall or code review?

Michelle Davidson writes "SearchSoftwareQuality.com recently posted an article on clarifications made to requirement 6.6 of the PCI Data Security Standard and explains the options companies have to comply with it. Jeremiah Grossman and other app sec experts were interviewed for the article . Below is the information." I don't usually link to...

Scanless PCI security scanning available

"Using a combination of fines and incentives the payment card brands have working hard to boost PCI-DSS compliance rates among merchants. Meanwhile, ASVs have been doing their part by offering their services at drastically reduced prices and curtailing the security checklist to make certification as easy as possible. Every merchant who signs...

Weak Encryption Faulted in TJX Breach

"TJX’s failure to upgrade its encryption system allowed the electronic eavesdropping beginning in July 2005 and continuing for a year and a half, the report says. At least 45 million credit and debit cards were exposed to potential fraud, according to an Associated Press story" Article Link: http://www.itbusinessedge.com/blogs/hdw/?p=945

Your Next Security Frontier? Software!

"Software testing generally falls under the purview of the quality assurance (QA) test team. The problem is that QA testers test the products for compliance with its functional requirements and specifications. Put another way, they test how the software works, not how someone can break or misuse software for illicit purposes. To...

Big trouble if PCI-DSS requires CSRF

Jeremiah Grossman has a post asking the question 'what if PCI-DSS requires CSRF protection?'. Short answer, just about everybody is vulnerable (more than XSS) and making people be compliant to it is going to be almost unrealistic. Article Link: http://jeremiahgrossman.blogspot.com/2007/03/big-trouble-if-pci-dss-requires-csrf.html

Compliance As Kick-Starter

"Regulation is a boon to security. Without the government and other private organizations leading security around by its nose, we would be eternally trapped in the "just strap another pizza box into the rack" solutions offered by clueless vendors. There were zillions of them at RSA this year. One problem is that...