Visa Europe revealed important stats about the usage of Contactless Cards. Poland, Spain and the UK use this payment methd the most, with UK usage growing by 300% year over year.
Marco Borza April 22, 2014
Have you ever been sitting in meetings with clients and auditors answering questions confidently and in all honesty only to find that your PCI compliance policy’s last review was three years ago?
Have you just found out that you don’t have "clean" vulnerability scans for the previous year?
Most organisations tackled their ISO 27001, PCI DSS compliance and other initiatives as a project. They have achieved compliance and simply closed the project.
Their work should have not stopped there because achieving compliance is an occasional result that doesn't ensure a continual protection.
Absence of evidence doesn't translate into evidence of absence. That's why, in addition to an achieved compliance, organisations must ensure that an appropriate governance of the programme is in place and maintained, in order to ensure a constant compliance level.
Organisations should start with creating a list of those important recurring tasks from PCI DSS version 3.0. A first step would be to compare that list with the one below and award a point for each one in place.
| Requirements | Description Note: Some tasks may be performed more frequently depending upon the environment/organisation |
|
Scoping |
Conducting activities to confirm the accuracy of the PCI DSS scope, identifying all locations and flows of cardholder data and ensuring they are included in the scope at least annually. |
|
1.1.7 |
Reviewing firewall and router rule sets at least every six months. |
|
3.1 |
Performing a review to identify and securely delete stored cardholder data that exceeds defined retention at least quarterly. |
|
3.6.4 |
Performing cryptographic key changes for keys that have reached the end of their crypto-period. [Ok, so this one can be a bit tenuous dependent upon your encryption algorithms and key strength] |
|
5.1.2 |
Periodically performing a review of evolving malware threats in order to confirm whether system not commonly affected by virus continue to not require anti-virus software. |
|
5.2 |
Maintaining anti-virus software (the engine and definitions) and performing periodic scans. |
|
6.6 |
Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods at least annually. Note: Not applicable if you use a Web Application Firewall |
|
8.1.4 |
Performing a review of user accounts to remove/disable inactive users at least quarterly. |
|
9.5.1 |
Conducting a review of the security of locations used to store media backups at least annually. |
|
9.7.1 |
Performing a review of the media inventories at least annually |
|
9.9.2 |
Performing periodic physical inspection of POS device surfaces to detect tampering (for example, addition of card skimmers to devices), or substitution (for example, by checking the serial number or other device characteristics to verify it has not been swapped with a fraudulent device) |
|
10.6 |
Reviewing review of logs and security events for all system components to identify anomalies or suspicious activity at least daily.
|
|
10.6.2 |
Reviewing logs from all other system components periodically based on the organisation’s policies and risk management strategy, as determined by the organisation’s annual risk assessment. |
|
11.1 |
Test for the presence of all authorised and unauthorised wireless access points on a quarterly basis. |
|
11.2 |
Conducting vulnerability scans of the internal and external networks at least quarterly. |
|
11.3 |
Conducting a penetration test that includes a review and consideration of threats and vulnerabilities experienced in the last 12 months at least annually. |
|
11.5 |
Perform a comparison of critical files using change-detection mechanisms, such as file integrity monitoring software, at least weekly. |
|
12.1.1 |
Performing a review of the organisation’s security policies at least annually. |
|
12.2 |
Conducting the organisation’s formal risk assessment at least annually. |
|
12.6.1 |
Re-educating individuals as part of the organisation’s formal security awareness programme at least annually. |
|
12.6.2 |
Individuals formally acknowledging that they have read and understood the security policy and procedures at least annually. |
|
12.8.4 |
Monitor th compliance status of service providers at least annually. |
|
12.10.2 |
Test the organisation’s the incident response plan/s at least annually. |
Well, you can start by considering the following:
I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.
Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA
Comments