Linking your business to more business.

Caught between PCI-DSS compliance mandates and a shrinking budget?

Use our quick contact form above and we'll show you how to become PCI-DSS complient on a seriously tight budget!

Still looking for more conventional answers? Here are some possible resources for PCI-DSS...

http://chuvakin.blogspot.com/
23 0210 PM Purple 304 Abstract The IT industry suffers from a lack of standards for event log and audit information. Regulatory requirements to retain protect and destroy log data continue to increase. Organizations also need better situation awareness and... a good CAG-related preso direct from its mysterious source. Next Gunnar reminds us to be to be asset focused not auditor focused in infosec by using Berkshire 2008 Annual Letter Hoffs Offensive Computing - The Empire Strikes Back reminds us to... and other organizations dealing with PCI DSS challenges. Mistakes related to the technical and process side of PCI self-assessment and audits as well as PCI validation requirements will be discussed. The information will be useful to all merchants dealing with credit... is my obscurely humorous post on SAQSA PCI SAQSA and to think that many people suggest that humor and auditors dont mix A post where I link to a rumor of a new processor breach New Processor Breach is...

http://www.rsasecurity.com/blog
either purchased outsourced or home grown must posses a modest set of baseline capabilities. Some of these include enabling audit trails reconstructing simple events and securely storing audit trails for at least a year.enVision 4.0 goes liveTopics SIEMWere pretty pumped... posses a modest set of baseline capabilities. Some of these include enabling audit trails reconstructing simple events and securely storing audit trails for at least a year.enVision 4.0 goes liveTopics SIEMWere pretty pumped here at RSA since today were releasing our...

http://riskmanagementinsight.com/riskanalysis/
any number of other documents and standards. It would seem that its only demonstrative use is for the purposes of auditing to standard compliance. And I have to think that this is really what this document is all about something more...

http://www.tssci-security.com/archives/2009/02/12/post-to-webappsec-mailing-list
expert and tuned to the applications. Should these devices sometimes be separated out of a traditional operational role due to auditability and for compliance scoping purposes Probably not. Should they perform monitoring debugging capability or solving hard production problems Probably not....

http://www.intersectalliance.com/projects/SnareWindows/
on how to use the script PAD FileSnare Server The Snare Server builds on the success of our Open Source audit event log agents. When used in combination our Snare agents and Server provide a robust and effective resource for...

http://www.sentrigo.com/
databases Guest blog post by Sentrigo CTO Slavik Markovich WebinarPrincipal Analyst Noel Yuhanna to discuss database security planning audit requirements for 2009 Watch now Intrusion prevention Virtual Patching Vulnerability assessment Database Audit Standards and regulations Banking database security Buffer...

http://www.itcomplianceandcontrols.com
did support the government and industry to meet the new standards given the new technology. Today our laws and the auditor check lists do not sufficiently address virtualization but that does not eliminate the risk or need to operate securely and... placed. 2.C - Agreeing on a risk based approach is certainly critical and coordination should exist between internal and external audit but it should be expanded to other operational divisions. For instance IT Security and strategic governance operations must also be... on Amazon. Best James DeLuccia IV No CommentsTags Direcitonal Alignment Risk Awareness iso27001To my colleagues in the technology audit and security field The Association of Certified Fraud Examiner conference in July this year was a huge success. For anyone...

http://pcianswers.com/2008/11/03/cloud-computing-security-and-pci/
reliant on attacks being identified as they occur and not months or years later. Another connected issue is that of audit logging. A PCI DSS requirement states one must Promptly back up audit trail files to a centralized log server or... years later. Another connected issue is that of audit logging. A PCI DSS requirement states one must Promptly back up audit trail files to a centralized log server or media that is difficult to alter. Assuming companies that spin up servers...

http://www.gfi.com/lannetscan/?adv=62&loc=61
administrative effort. As an administrator you have to deal separately with problems related to vulnerability issues patch management and network auditing at times using multiple products. However with GFI LANguard these three cornerstones of vulnerability management are addressed in one package.... scanning Patch Management and Network Auditing Automated options help to retain a secure network state with minimal administrative effort Network-wide auditing functions provides a complete picture of network and port security set-up 1 Windows commercial security scanner voted by Nmap users... helped us address two issues the need to secure our computers from the latest threats and to be able to audit our network. Read the Case Study Oscar Wilton Additional Case StudiesReport Pack The Power of Reporting with GFI LANguard ReportPack...

http://www.pciassessment.org/pci-expertise.php#
an assessment for your business. 1-877-300-1290NDB Advisory About Us NDB AdvisoryFrom PCI DSS auditors consisting of former big four technology auditors to highly specialized Information Technology experts NDB Advisory personnel have the industry know how to meet your organizations needs for...

http://trustseals.wordpress.com/2009/02/10/pci-compliance-explained/
Level 1 merchant. With Level 1 merchants those are required to have a third party come in and perform an audit. Thats what I do. Im the auditor. What happens is I have to understand all twelve of those requirements and... with the subsets of those. I believe its 256 requirements total if you mean everything. What should happen with an auditor they should first ask the question and then once you give them the answer they should ask for proof. The... are - in the questions I receive when I speak about PCI is Weve had what we call check box auditors. Is that good Is that bad Its all about what risk youre willing and your company is willing to except....

http://pcidss.wordpress.com/2009/02/13/cloud-computing-and-the-assumed-lack-of-s
Chaos Complexity The Emerging Science at the Edge of Order and Chaos IT Governance IT Governance audit auditing Boards Business Agility CoBIT Compliance conference FERC fraud GLBA Governance iia information security IT Controls ITIL Management mergers and acquisitions...

http://pcianswers.com/2008/10/01/pci-dss-version-12-differences-and-updates/
an item that is suggested but not required. Requirement 10 In version 1.1 the standard mandated that companies retain audit logs for a minimum of three months available online. In version 1.2 this is changed to Retain audit trail... analysis of wireless under PCI DSS v1.1 read the wireless FAQ. In version 1.2 Requirement 11.1 has more detailed audit procedures outlining criteria for escalating alerts from a wireless IDSIPS and integrating the alerts into the required incident response plan.... two new sections titled Validation of Compensating Controls and Maintenance. This goes right to the heart of the matter that auditors must evaluate and validate their compensating controls and maintenance behind securing the environment on an ongoing basis. Attestation of Compliance...

http://t-rob.net/2009/01/26/choosing-a-pci-dss-auditor-does-wmq-awareness-count/
DSS Auditor Does WMQ awareness count January 26th 2009 by T.Rob James DeLuccias post about choosing a PCI DSS QSA auditor has some good advice. I would add to his list a criteria of my own the auditor should at least... least know how to spell WMQ. Or JMS. Or message oriented middleware. While I havent been involved in any PCI audits many of my customers are subject to PCI DSS. Until recently it was hard to find one that had enabled... this is not redoubling security at the perimeter. The answer is to apply meaningful controls at the messaging layer. An auditor familiar with your messaging technology would seem to be a valuable asset if the goal is to actually assess security... a valuable asset if the goal is to actually assess security and not merely to pass the audit. If any auditors out there want to know more about securing WebSphere MQ contact me. Ill be happy to help. Hannaford was reportedly... up the Hs whats in store for firms in the I - Z range I prefer to think its strict

http://www.treasuryinstitute.org/blog/
possible and to follow PCI to protecting those data if you do choose to retain some. 10 years of FTC audits...the gift that keeps on giving...posted by Walt at 0803 PM 3 Comments About this blog About This Blog Effective...

http://www.mckeay.net/2008/11/02/pci-compliance-in-the-cloud-get-it-in-writing/
occurring.Im not directly involved in the securing and examining of networks for PCI compliance but are there opportunities in the audit process where the analyst would know whether an in-scope server is actually a virtualized instance and that the other virtual... ridiculous assertion that cloud computing is just the internet with virtualizationand thats the biggest problem here. Your position as an auditor is to assess infrastructure and policy against the regulations as they stand. My position as an architect is to assess... is much more simplistic and it is because Im an assessor Im still not sure what the difference between an auditor and an assessor is but there is one. Im not paid to try and secure the cloud. I have a...

http://www.acunetix.com/websitesecurity/pci-dss.htm
create a detailed report which will allow you to easily prove that you meet these particular PCI standards.KeyWordsPC DSS compliance auditing websitesecurity_articleNews Ordering Support Partners About us ContactWEB VULNERABILITY SCANNER DOWNLOAD TRIAL FREE EDITION PRODUCT TOUR WEB SECURITY BLOGIf your business... receipts.TJX violated some of the basic tenets of the PCI Data Security Standard PCI DSS and according to several PCI auditors it will pay a heavy financial price. TJX were clearly negligent in holding onto unencrypted cardholder data a direct violation... cardholder data a direct violation of the PCI DSS.Penalties for noncompliance range from fines of up to 500000 to increased auditing requirements or even losing the ability to process credit card transactions.To avoid similar cases such as TJX happen again major...

http://holisticinfosec.blogspot.com/
we to believe if PCI SSC doesnt adhere to its own standard that anyone else will except during the annual audit As there is little to no enforcement of PCI violations it seems unlikely that PCI DSS will continue to be... Audit Viewer. If you convert MindSniffer-generated Snort signatures to python files you can match signatures to strings in any process audit. Peter spoke about this technique at Blackhat Federal. If you havent yet downloaded Memoryze Audit Viewer and MindSniffer all I...

http://www.compliancefocus.com
Enforcement Happening in 2008 Published02192008This just in HIPAA is now being enforced to some extent. On the heels of the audit of a major healthcare organizations by DHHS Office of the Inspector General Piedmont Hospital reported here CMS has announced their...

http://blog.tevora.com/
mean copious amounts of log files not necessarily large in size. Essentially the chief task was that I needed to audit what was being kept as online history. As you dedicated readers remember PCI-DSS requires one year of history to be...

http://pcidss.wordpress.com/2009/01/08/how-to-choose-a-pci-dss-qsa-audit-or/
3 Comments Dont choose the lowest bidder when you are seeking the best QSA to do your onsite PCI DSS audit. This is not an article to inflate the costs of validating your compliance program but instead intended to LOWER the... to inflate the costs of validating your compliance program but instead intended to LOWER the cost of the PCI onsite audit. While giving training this week on PCI DSS a great conversation developed where we outlined what should be strongly considered... the Relationship manager or person charged with owning the payment transactions within the business. There is not a lacking of audit firms that are willing to do the work so a witling process is necessary Consider geographic location - you want... any additional insights as they come up. Best James DeLuccia IVCategories Compliance Tagged best practices it compliance and controls onsite audit PCI DSS qsa Security vendor3 responses so far Network Security Blog PCI related blogging January 9 2009... Auditor Does W

http://events.qualys.com/content/pci_myths
and other organizations dealing with PCI DSS challenges. Mistakes related to the technical and process side of PCI self-assessment and audits as well as PCI validation requirements will be discussed. The information will be useful to all merchants dealing with credit...

http://beastorbuddha.com/2009/01/27/okay-ill-add-my-2-cents-to-the-heartland-bre
from a large well know security company. He told me he never touched anyones systems during a PCI DSS onsite audit. hmmm. someone is going against written directions in the PCI-DSS for testing procedures. They should be stripped of their QSA... would be confident in is something that only a small percentage of the industry would have. Separating areas of the audit between team members against their areas of speciality is probably the approach most good QSAs would use - at least... little to no gaps. Many QSAs just dont have enough basic technical expertise to be able to perform a full audit on their own to a level that the PCI SSC and industry overall would expect. Many clients unfortunately are not... a good thing.Drazen Drazic Says January 28th 2009 at 406 pmI should add that should something come up during an audit that may not be covered specifically by the PCI DSS but that we deem a security risk to the CC... if I am achieving acceptable operational risk. I know and understand my

http://www.secureconsulting.net/2009/02/pci_dss_v12_in_a_nutshell.html
was the third iteration of PCI and represents its continuing evolution. Version 1.2 is structured in the manner of the audit procedures guide of previous versions making the standard easier to comprehend from an implementation standpoint. That being said the standard... a reputable AV solution to systems commonly afflicted with malware. 2. Ensure that the AV is current active and generating audit logs in accordance with associated security policies and standards on the topic and retaining the logs in accordance with 10.7... rootadministrator actions invalid logical access attempts use of identification and authentication mechanisms creation and deletion of system-level objects access to audit logs and the initialization of the audit logs. Logs are to be retained for at least a year with 3... a daily basis though automated tools can be used to meet the requirement. Action Items 1. Implement and secure detailed audit trails. Capture all individual access to cardholder data all rootadmi

http://blogs.verisign.com/securityconvergence/2009/01/pci_compliant_companies_do
day. Is there a problem with PCI If there is one the problem lies in the QSA community or internal auditors that have not been through something like the CPISA training not the standard itself. The new QA program aims to...

http://www.pciknowledgebase.com/index.php?option=com_banners&task=click&bid=11
Assessment Outsourcing Source code analysis Penetration test Basel Accord Jack Danahy Secure Coding Hack App security application audit solutions application audit tools Application firewall AppScan AppShield Backdoor code red Code review Contextual analysis Cracker cross site scripting Cyberterrorism Danahy Danahy Group... risk. This framework offers guidance for the processes controls and tools needed to assess software risk and includes a detailed auditors checklist and regulatory compliance matrices. Register Q I work for a Financial Services firm. What are the software security compliance...

http://www.pciknowledgebase.com/index.php?option=com_banners&task=click&bid=23
has focused day-to-day monitoring of your PCI DSS-related processing environment and simple powerful forensic capabilities that quickly meet PCI QSA audit requirements and facilitate ad hoc forensic capabilities.6.4 Follow change control proceduresSenSage detects changes to any database object7.1 Limit access to...

http://www.pciknowledgebase.com/index.php?option=com_banners&task=click&bid=14
a compliant state. And when seamlessly combined with Tripwires continuous change auditing organizations maintain that state. Tripwire also generates an audit trail of any changes made so IT organizations have the evidence they need to easily prove continuous compliance.Tripwire solutions helps... configuration assessment policies based key standards and regulations such as SOX PCI DSS FDCC FISMA NERC and COBIT. Generates an audit trail that enables quick painless proof of continuous compliance. Provides file integrity monitoring that detects and alerts IT to changes... and security initiatives from a single familiar point of control.SOXLearn MoreTripwire assesses IT configurations against SOX requirements and integrates configuration auditing into IT operations verifying and reinforcing controls for SOX 404 compliance.GLBALearn MoreTripwire configuration control solutions help organizations meet GLBA intrusion... MoreWith Tripwire healthcare organizations can automatically achieve com

http://www.pciknowledgebase.com/index.php?option=com_banners&task=click&bid=10
Automated PCI Compliance ArcSight PCI Logger is an all-in-one log collection storage and analysis appliance for cost-effective automation of PCI audits and proactive protection of cardholder data. Download ArcSight PCI Protection SuiteWebinar PCI Compliance Made Easier The Value of Security...

http://www.pciknowledgebase.com/index.php?option=com_banners&task=click&bid=12
IT GOVERNANCE LIMITEDI.T.s Dirty Little SecretPrivileged Passwords BY MARK FULLBROOK CYBER-ARKImpact Zones Reduce the cost and complexity of compliance or audit programs and processes with UCF spreadsheets which are broken down by individual areas of compliance or Impact Zones. Each impact...

http://en.wikipedia.org/wiki/PCI_DSS
of a snapshot certification the evaluation cannot ensure that the target company will maintain the good practices seen in an audit13.The definition of compliant has also been open to interpretation especially regarding how temporary such a declaration might be. Declaring a...

http://blog.tenablesecurity.com/2008/10/pci-dss-plugins.html
released three new beta plugins to all ProfessionalFeed and Security Center users that automate the process of preparing a PCI-DSS audit. The three new plugins available are PCI DSS compliance tests requirements PCI DSS compliance passed... ... released three new beta plugins to all ProfessionalFeed and Security Center users that automate the process of preparing a PCI-DSS audit. The three new plugins available are PCI DSS compliance tests requirements PCI DSS compliance passed...Tenable Network Security Event Analysis Training... compliant. The plugins dont perform actual scanning they just look at the results from other plugins. Tenable chose to audit and report on the actual scan configuration so that Nessus users can still perform basic scans and get actionable results.... results. This helps them understand if they have some glaring vulnerabilities that need to be fixed without performing a full audit which can include onerous tasks such as full UDP and TCP port scans. Configuring a Scan A system will only... an audit of a web server be performed without any filtering. If there is no filtering between Nessus and the audited server there is no reason to perform a full port scan. One last point for configuring port scans

http://www.acunetix.com/websitesecurity/pci-compliance-wp.htm
process to ensure that each change is followed by the relevant security counter-measure designed to be successful in a security audit. Data protection and preservation must also be enforced upon elements which do not involve consequences brought about by human involvement.... their online systems and also to prove their reliability to the consumer public.The Approved Scanning Vendors who provide PCI Compliance audits can benefit from Acunetix Web Vulnerability Scanner to identify vulnerabilities in merchant web applications and also guide them to resolving...