💳PCI DSS 4.0 Requirements 9 and 10 focus on managing access to cardholder data, including physical access limitations and logging and monitoring all access.
Shubhra Deo and Ross Moore provide insight into the requirements.⤵️
PCI DSS 4.0 has updated Requirements 11 and 12 to prioritize regular security testing and organizational policies to support information security.
Angus Macrae and Dimitris Georgiou break down the revised directions.⤵️
#compliance #infosecurity #pcidss
@me I mostly install @ubuntu LTS because I need the plannability of #UbuntuLTS.
And before any #Canonical rep wants to sell me anything I want to see a Commitment to #Landscape #OnPremise and #MAAS on-premise...
Because I need to comply with #BDSG, #GDPR, #PCIDSS & #BSI Standards constantly...
#bsi #pcidss #gdpr #bdsg #Maas #onpremise #Landscape #canonical #ubuntults
In this blog, Tripwire's David Bruce discusses some of the challenges organizations face as they try to comprehend the new requirements of PCI DSS 4.0. with guest experts, Shubhra Deo, Angus Macrae, and Funso Richard.
➡ https://tripwire.com/state-of-security/how-comply-pci-dss-40-while-juggling-day-day-tasks
Here's my new article about how to implement a simple File Integrity Monitoring for @SumoLogic
Hope it helps! 😉
#cybersecurity #infosec #PCIDSS #compliance #BlueTeam #SOC #SumoLogic #FIM #SIEM
#siem #fim #sumologic #soc #blueteam #compliance #pcidss #infosec #cybersecurity
@infosec_jobs #WhatIfIToldYou that one cannot #secure #AWS nor make it #compliant with #GDPR since #Amazon is part of the #PRISM program and also falls under #CloudAct?
I'm not even shure they can comply to #PCIDSS 4.0
#NotLegalAdvice OFC...
#notlegaladvice #pcidss #cloudact #prism #Amazon #gdpr #compliant #AWS #secure #whatifitoldyou
@schrottkatze Yes.
They use #SAP as #backend and store passwords in #plaintext.
Because that's the only logical reason they'd not demand 32+ signs with Uppercase- Lowercase, Numerals and Symbols as well as denying CamelcaseSpeak and checking for words in realtime...
And yes, #PCIDSS and #PSD2 don't have any "password security" demands whatsoever...
#psd2 #pcidss #plaintext #backend #sap
Although I don’t focus on #PCIDSS anymore, it still bugs me to see forms like this asking the customer to write down their CVV2.
@funnygodmother SHIT LIKE THIS is why there's actual #DataProtection #laws in #Germany like #BDSG & #GDPR.
If a #EU citizen and/or resident would be affected, they'd be out paying huge fines if not face prison in #Germany for gross neglect.
That being said the only "data protection" that exist in the #USA is #PCIDSS & #HIPAA - the latter one only applying to #healthcare providers and -data.
#Healthcare #HIPAA #pcidss #USA #EU #gdpr #bdsg #Germany #laws #dataprotection
@survey I can accept #CCSS if it complies with #GDPR, #BDSG, #PCIDSS, #HIPAA and #BSI standards and doesn't do analytics or telemetry without my explicit opt-in consent.
Unlike #Stallman and his cult followers I do understand that not everything can be licensed under #GPLv3 (i.e. due to #patents and #licensing of them) and at the end of the day, those coding need to pay their electricity bill, eat and have some watm place to sleep in.
#licensing #patents #gplv3 #Stallman #bsi #HIPAA #pcidss #bdsg #gdpr #ccss
@timforgot @TomLarrow Still they should be solely optional.
IDC what kind of fancy stuff one does with it:
I want to be able to REJECT ALL even if it makes the site look like shit.
Anything else would be supporting a bloated and ableist web!
https://www.youtube.com/watch?v=c_v2_vTogS8
Whereas #SSL is something that is kinda essential: Not because #PCIDSS will REQUIRE it for any online store, but because in the era of #LetsEncrypt there is no reason for any business not to deploy it.
@allenholub *nodds in agreement*
That's why I yeet Windows machines out of the Window:
Microsoft's bloated tech stack is costly, slow and doesn't even comply with basics like #GDPR, #BDSG & #PCIDSS...
In this Document Library, #retailers can find specifications, tools, measurements, and support resources to ensure the safe handling of cardholder information https://www.pcisecuritystandards.org/document_library/
#cybersecurity #retail #pentest #pcidss #mobilepayments #payments
#retailers #cybersecurity #retail #pentest #pcidss #mobilepayments #Payments
The most common regulatory requirement for #PenetrationTesting comes from #PCIDSS https://listings.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-v1_1.pdf
#penetrationtesting #pcidss #retail #infosec #cybersecurity #security #Payments
Which is what I explicitly want, as I've to comply with #GDPR, #BDSG, #PCIDSS and other regulations & be able to enforce "need to know" and name every user that may or may not have access to said vaults...
And no, German laws don't care if something is encrypted or not when it comes to sharing data, so I've enforce strict policies and refuse to use services and tech that doesn't enable me to enforce said policies.
AWS managed to PCI PIN certify their CloudHSM as the first one of the big cloud service providers. Awesome feat! Next up PCI P2PE?
https://aws.amazon.com/blogs/security/aws-cloudhsm-is-now-pci-pin-certified/
A support person requested last 8 digits of a debit card number in a customer support phone call recently from me. That makes the debit card number easily guessable. With this debit card's primary account number (PAN) being 16 digits, first six digits (bank identification number, BIN) are guessable, so that leaves two digits from discovering the whole PAN trivially...
1) Knowing that the company could have used other identifiers to reliably identify the debit card or customer I don't really get why they decided that asking last 8 digits is the best way to handle their support case.
2) PCI DSS is having a sort of a loophole here as phone lines can be considered 'private' (i.e. no cryptography or other relevant protection means required) and many card data protection requirements are related to data storage. So asking 8 last digits is still likely PCI DSS compliant even though not the most secure option to handle the support case...