Earlier this month, Oracle Cloud Infrastructure (OCI) published a Reference Architecture allowing merchants to use OCI resources to quickly build an environment that can help meet the intent and rigor of the Payment Card Industry Data Security Standard (PCI DSS). As merchants looking to get into the business of taking credit card transactions online often encounter additional challenges in architecting a secure and available framework that meets industry standards—such as PCI DSS—this Reference Architecture should now help alleviate some of that confusion surrounding initial compliance while also demystifying some of the other, more confusing aspects of the standard. Having had the privilege of working with the team at OCI, Schellman reviewed the OCI Reference Architecture as an independent assessor—during that process, we found some key advantages that are outlined below:
Here we are again, off to the races on a fresh new release of the Payment Card Industry Security Standards Council’s (PCI SSC) flagship security standard PCI-DSS v 3.2.1. Aside from an exciting new version that sounds like a countdown, there are some changes that organizations storing, processing or transmitting cardholder data need to know about. The most notable change is that the council no longer considers SSL v3 and early versions of TLS an acceptable means to protect cardholder data (CHD), system administration, or authentication credentials. Some other minor updates made were removing past dated best practice requirements and formatting changes to the reporting template.
As a follow-up to the "What 2018 Means for Your PCI DSS Assessment" article I posted, a client of mine had a great question regarding the future date for the semi-annual segmentation penetration test requirement for service providers. They were curious what the February 1, 2018 date meant specifically for their compliance. For instance, if they previously completed a segmentation penetration test in August 2017, would they be required to perform another test six months later, as the requirement would be applicable on February 1, 2018? Or, would they instead be required to perform a segmentation penetration test six months from the February 1, 2018 date?
Some of you may have just read the blog title and believe I made a typo on the year, but no, I am here to talk about PCI DSS in 2018. I know it seems crazy to be discussing 2018, as we are all just getting settled into 2017, but at the realization that it is already April, and somehow January, February, and March flew by like I was in a warp tunnel, I feel it’s appropriate to start discussing 2018.
Executive Summary Docker is an advanced framework for deploying applications--in particular, cloud applications. It is notably different than working within traditional virtualization environments, and/or “standard” image-based cloud deployments at Amazon or Microsoft. With that comes opportunity for deployment engineers, but also challenges for security and compliance professionals. This post provides you with some perspective on technical architecture for Docker and specific use cases for configuring Docker containers for PCI compliance. Where I could, I provide screenshots and examples for a test Docker environment created for this purpose.
As we all were working hard, with holiday vacations and a new year in our reach, the PCI SSC released a guidance document that has been long awaited. The Guidance on Scoping and Segmentation was released to all December 2016.
What keeps security professionals up at night isn’t the idea of outsider threats attacking their companies—it’s their employees. Nearly 61 percent of security leaders surveyed said their biggest issue is worrying about negligent or malicious employees, which they claim are responsible for over half of their organization’s data breaches or security incidents.
Originally published at blog.pcisecuritystandards.org In this post, we get insights from Jacob Ansari, Manager at Schellman & Company, LLC He will present“Hunting Paper Tigers: A Security-First Approach to Compliance” at the North America Community Meeting in Las Vegas.