PCI SSC article: READ
PCI SSC SSL Migration Guidelines: DOWNLOAD HERE
PCI SSC has clarified new requirements 2.x and 8.x included in the SAQ A v3.2. According to the FAQ 1439 these new requirements apply to all redirection servers in Ecommerce and MOTO payment channels.
“E-commerce merchants that redirect customers from their website to a third party for payment processing will need to validate these requirements for the webserver upon which the redirection mechanism is located.”
This may cause some issues, especially if User Management processes for web servers have been outsourced to a Third Party Service Provider.
Download the Bulletin. Key points and deadlines:
PCI Security Standards Council Chief Technology Officer Troy Leach talks about what to expect from PCI SSC in 2016. Click HERE.
Download: ISACA Member $35 | Non-Member $60
The guide provides a comprehensive overview of the PCI DSS and explains how to implement its demanding security requirements. The guide also contains a wealth of background information about payment cards and the nature of payment card fraud. The content in this guide goes beyond other sources of information about the PCI DSS by providing the following valued information::
Concise summaries of PCI DSS requirements (published in the Payment Card Industry (PCI) Data Security Standard Requirements and Security Assessment Procedures, Version 3.1)
Consolidated information from numerous PCI DSS publications
Background advice on challenging requirements
Techniques that are required to scope and implement the requirements
PCI DSS requirements mapped to COBIT 5 processes and International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27001/2 controls
Detailed explanation of how to design a professional audit/assurance plan
The guide has been written in plain language to enable non-technical directors, managers and staff in retail enterprises, financial organizations and IT service functions to easily find, understand and use the information.
PCI SSC has announced changes to the QSA Qualification Requirements lately. The supplementary document dated June 2015 reads:
“The requirement to possess at least one industry-recognized certification is effective as of January 1, 2016 for new QSA Employees. For QSA Employees qualified and added to the search tool prior to January 1, 2016, this requirement is effective July 1, 2016 (for example, upon annual requalification after June 30, 2016).”
What industry-recognized certification are acceptable?
There are two lists published by the SSC: A and B (see below).
Currently, you can pick one certification from either List A OR List B. Although, the SSC recommends to have one from each list, which at some point may turn into the requirement.
Personally, I think the SSC tries to raise the bar, who conducts PCI DSS assessments and performs QA. It may be also an effective technique to filter out non-technical individuals, which in result may improve the quality of Report on Compliance and recommendations provided to merchants and service providers. Where, previously the SSC relied on quite ambiguous “5 years IT Security experience”; it has effectively outsourced the background check processes to ISC2, ISACA and other certification bodies, which already perform thorough background checks on all candidates.
Note. In order to obtain CISSP, CISM or CISA, you need to present a minimum of five years of direct full-time security work experience, which is vetted upon completion of the exam.
List A – Information Security
List B – Audit
Have you ever wondered the difference between the above frameworks? I’ve put together a quick cheat sheet explaining the basics of:
SABSA – Sherwood Applied Business Security Architecture
TOGAF – The Open Group Architecture Framework
COBIT – Control Objectives for Information and Related Technology
ITIL – Information Technology Infrastructure Library
Download PDF from: HERE
ISC2 announced updates to its CISSP and SSCP certifications. There are no information about CISSP Concentrations: ISSAP, ISSEP, ISSMP updates. An official email stated:
“What does this mean for (ISC)2 members? Beginning April 15, 2015, all CISSPs and SSCPs will be required to submit their continuing professional education (CPE) credits in accordance with the refreshed eight domains of the CISSP and seven domains of the SSCP. This process ensures that the examinations and continuing professional education requirements encompass the topic areas relevant to the roles and responsibilities of today?s information security professionals.
CISSP Domains, Effective April 15, 2015
SSCP Domains, Effective April 15, 2015
Calling all CISSP in good standing. Take the survey and claim 5 CPEs.
“A Job Task Analysis (JTA) workshop for the CISSP was recently completed. The workshop participants produced an updated draft content outline upon which the new CISSP examination will be based. It is now up to all (ISC)2 members who hold the CISSP credential to take the next step in the process. We are therefore asking that all CISSPs complete a JTA Survey based on this new content outline. Respondents will have an opportunity to rate the importance of and comment on the tasks defined within it, to suggest new tasks, and to make any other comments related to the CISSP credential program in general. This information, along with some demographic data that is collected, will be used to finalize a new content outline and exam blueprint that will be used for the next three (3) years. The survey should take approximately 30 minutes to complete.”