How do PCI DSS Requirements 2 and 8 apply to SAQ A merchants?

PCI SSC has clarified new requirements 2.x and 8.x included in the SAQ A v3.2. According to the FAQ 1439 these new requirements apply to all redirection servers in Ecommerce and MOTO payment channels.

“E-commerce merchants that redirect customers from their website to a third party for payment processing will need to validate these requirements for the webserver upon which the redirection mechanism is located.”

This may cause some issues, especially if User Management processes for web servers have been outsourced to a Third Party Service Provider.


PCI SSC: Bulletin on Migrating from SSL and Early TLS

Download the Bulletin. Key points and deadlines:

  • All processing and third party entities ? including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016
  • Consistent with the existing language in the DSS v3.1, all new implementations must be enabled with TLS 1.1 or greater
  • All processing and third party entities must cutover to a secure version of TLS (as defined by NIST) effective June 2018
  • The use of SSL/TLS 1.0 within a POI terminal that can be verified as not being susceptible to all known exploits for SSL and early TLS, with no demonstrative risk can be used beyond June 2018 consistent with the existing language in the DSS v3.1 for such an exception

ISACA releases – A Practical Guide to the Payment Card Industry Data Security Standard (PCI DSS)

Download: ISACA Member $35 | Non-Member $60

The guide provides a comprehensive overview of the PCI DSS and explains how to implement its demanding security requirements. The guide also contains a wealth of background information about payment cards and the nature of payment card fraud. The content in this guide goes beyond other sources of information about the PCI DSS by providing the following valued information::

Concise summaries of PCI DSS requirements (published in the Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures, Version 3.1)
Consolidated information from numerous PCI DSS publications
Background advice on challenging requirements
Techniques that are required to scope and implement the requirements
PCI DSS requirements mapped to COBIT 5 processes and International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001/2 controls
Detailed explanation of how to design a professional audit/assurance plan
The guide has been written in plain language to enable non-technical directors, managers and staff in retail enterprises, financial organizations and IT service functions to easily find, understand and use the information.


QSA Experience

PCI SSC has announced changes to the QSA Qualification Requirements lately. The supplementary document dated June 2015 reads:
“The requirement to possess at least one industry-recognized certification is effective as of January 1, 2016 for new QSA Employees. For QSA Employees qualified and added to the search tool prior to January 1, 2016, this requirement is effective July 1, 2016 (for example, upon annual requalification after June 30, 2016).”

What industry-recognized certification are acceptable?

There are two lists published by the SSC: A and B (see below).

Currently, you can pick one certification from either List A OR List B. Although, the SSC recommends to have one from each list, which at some point may turn into the requirement.

Personally, I think the SSC tries to raise the bar, who conducts PCI DSS assessments and performs QA. It may be also an effective technique to filter out non-technical individuals, which in result may improve the quality of Report on Compliance and recommendations provided to merchants and service providers. Where, previously the SSC relied on quite ambiguous “5 years IT Security experience”; it has effectively outsourced the background check processes to ISC2, ISACA and other certification bodies, which already perform thorough background checks on all candidates.

Note. In order to obtain CISSP, CISM or CISA, you need to present a minimum of five years of direct full-time security work experience, which is vetted upon completion of the exam.

List A – Information Security

  • Certified Information System Security Professional (CISSP)
  • Certified Information Security Manager (CISM)

List B – Audit

  • Certified Information Systems Auditor (CISA)
  • GIAC Systems and Network Auditor (GSNA)
  • Certified ISO 27001, Lead Auditor, Internal Auditor
  • International Register of Certificated Auditors (IRCA)
  • Information Security Management System (ISMS) Auditor
  • Certified Internal Auditor (CIA)

Overview: SABSA vs TOGAF vs CobIT vs ITIL

Have you ever wondered the difference between the above frameworks? I’ve put together a quick cheat sheet explaining the basics of:

SABSA – Sherwood Applied Business Security Architecture

TOGAF – The Open Group Architecture Framework

COBIT – Control Objectives for Information and Related Technology

ITIL – Information Technology Infrastructure Library

Download PDF from: HERE


*Source: https://www.vanharen.net/blog/


CISSP & SSCP Updates Announced

ISC2 announced updates to its CISSP and SSCP certifications. There are no information about CISSP Concentrations: ISSAP, ISSEP, ISSMP updates. An official email stated:

“What does this mean for (ISC)2 members?  Beginning April 15, 2015, all CISSPs and SSCPs will be required to submit their continuing professional education (CPE) credits in accordance with the refreshed eight domains of the CISSP and seven domains of the SSCP.  This process ensures that the examinations and continuing professional education requirements encompass the topic areas relevant to the roles and responsibilities of today?s information security professionals.

Refreshed technical content has been added to the official (ISC)? CISSP Common Book of Knowledge (CBK) to reflect the most current topics in the information security industry today. The content of the SSCP has also been refreshed to reflect the most pertinent issues that security practitioners currently face, along with the best practices for mitigating those issues.  For both the CISSP and the SSCP, some topics have been expanded, while others have been realigned under different domains. Both credentials reflect knowledge of information security best practices, but from different facets. “

CISSP Domains, Effective April 15, 2015

  • NEW Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
  • NEW Asset Security (Protecting Security of Assets)
  • NEW Security Engineering (Engineering and Management of Security)
  • NEW Communications and Network Security (Designing and Protecting Network Security)
  • NEW Identity and Access Management (Controlling Access and Managing Identity)
  • NEW Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
  • NEW Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
  • NEW Software Development Security (Understanding, Applying, and Enforcing Software Security)

SSCP Domains, Effective April 15, 2015

  • Access Controls
  • Security Operations and Administration
  • Risk Identification, Monitoring, and Analysis
  • Incident Response and Recovery
  • Cryptography
  • Networks and Communications Security
  • Systems and Application Security

(ISC)2 2014 CISSP JTA Survey – 5 FREE CPEs

Calling all CISSP in good standing. Take the survey and claim 5 CPEs.

A Job Task Analysis (JTA) workshop for the CISSP was recently completed.  The workshop participants produced an updated draft content outline upon which the new CISSP examination will be based.  It is now up to all (ISC)2 members who hold the CISSP credential to take the next step in the process.  We are therefore asking that all CISSPs complete a JTA Survey based on this new content outline.  Respondents will have an opportunity to rate the importance of and comment on the tasks defined within it, to suggest new tasks, and to make any other comments related to the CISSP credential program in general.  This information, along with some demographic data that is collected, will be used to finalize a new content outline and exam blueprint that will be used for the next three (3) years.  The survey should take approximately 30 minutes to complete.