Reducing PCI Scope for the Enterprise Merchant
By definition, the scope of a cardholder data environment for a PCI assessment is
“any system that “stores, processes and/or transmits cardholder data.” Securing cardholder
data for many companies is daunting. But with a few simple steps the scope of the
cardholder data environment can be reduced, which can result in less time and money
lost attempting to secure the entire enterprise network. In many instances enterprise
merchants have a difficult time securing their entire cardholder data environment
in the time allowed by their acquirer. If a merchant can reduce the size of the cardholder
data environment by segmenting away a smaller section of the overall enterprise environment,
it will provide an avenue for them to become compliant more efficiently.
Undergoing a PCI assessment can be a painful process. By taking steps to ensure your
organization is properly prepared, you can minimize the level of effort necessary
to complete your assessment.
What is Multifactor Authentication?
Multifactor authentication can best be described as a string of authentication methods
from two or more of the three categories of factors. Considered a form of strong authentication,
Multifactor authentication is used to create a higher form of assurance on protected
What is Two factor authentication?
“Something you have, and something you know.”
When developing an application for
the enterprise, product managers have long known the “must have” features that customers
demand. Output to crystal reports? – check. Support
for IIS?– check. MSI agent installer? check.
Companies that have already had to contend with the security regulations of Visa’s
CISP, MasterCard’s SDP, American Express’ DSOP and Discover’s DISC, before they were
bundled together as PCI DSS, may have witnessed widespread rolling of the eyes among
managers at the unveiling of Payment Application Best Practices (PABP). Just what
–another spoonful of alphabet
soup to further complicate their lives. > (continue reading…)
Tickle Me Security
It seems to me that the security industry releases a new “tickle me elmo” every year.Suddenlyits
all that anyone is talking about. Never mind that you have been in business for40
years without one, but suddenlyyou are asked whyyou dont have oneby
every auditor and their mother. And of course if thats not enough, every vendor and
“security specialist” will swear up and down how you cant live without it. Suddenly
you feel like the kid without the nintendo….God I hated middle school.
Log management is one thing, making use of them is another. A couple of years ago
I was doing an investigation for a client on about 4 gigs of logfiles from 3 webservers,
a router, and an IDS.After that I was on a mission to find something that I
can use to aid in post event analysis and not over think the process for me. While
there are alot of good tools out there that aggregate log files and do correlation,
they are not very well suited for post incident response handling. The very features
that help you do dashboard reporting actually inhibit you when conducting an investigation.
Normalization of data is useful if you need reporting and alerting, but an investigator
needs to see the data his way, quickly, and untarnished.