Penetration Testing of Segmentation Controls for PCI DSS

Recently I came across a penetration testing report (supplied as evidence for Payment Card Industry Data Security Standard (PCI DSS) compliance) that made a series of assumptions based on the company’s risk assessment as to whether segmentation controls (separating the cardholder data environment (CDE) from out-of-scope networks) should be tested or not. Requirement 11.3.4 of PCI …

Guidance to Remain PCI Compliant After Making Changes to Your IT Infrastructure

One of the most avoidable PCI failures we see time and again is significant change follow-up. What happens is you make a change to your infrastructure, resume processing, and move on with the newly changed environment in the new configuration. Months later, your Qualified Security Assessor (QSA) walks in and asks, “Did you perform due …

The Road to Becoming a Qualified Security Assessor

After spending over 30 years in IT, with a great deal of time spent in security, I find myself with more than a few credentials closer to this end of my career than when I first started. One of my greater accomplishments is my certification as a Payment Card Industry Security Standards Council (PCI SSC) …

PCI DSS – Frequently Asked Questions

So, you’re working on your first Self-Assessment Questionnaire (SAQ) and you get stuck. Up until this point, it’s gone pretty well; you talked to your acquiring bank, downloaded the right form they told you to, and you have the right people pulled together from your company to answer the requirements, but you’re stuck. Where do …