I have been preparing for the PCI DSS 2.0 draft released on October 28th, 2010 which is to be ratified in January of 2011. PCI DSS 2.0 clarifies requirements in many areas.
The draft 2.0 released yesterday has shown that there is little change in wireless recommendations around detecting the presence of rogue wireless access points. Actually the draft adds a little more room for interpretation.
In PCI DSS Draft v2.0, requirement 11.1 states that to be compliant organizations are required to “Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly Basis.” With a note that states, “Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS. Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.
As we examine this statement it seems to lend itself to more than one option. Perform a quarterly scan with a handheld scanner, rely on physically inspecting connections or implement an always-on wireless IDS/IPS solution. I vote for the latter. Why?
Read More »
Tags: IDS, pci, Rogue, security, wireless
PCI DSS, the Payment Card Industry Data Security Standard, is a set of standards that, more than many regulatory and compliance efforts, has real world relevance. PCI compliance can earn merchants tiered interchange rates and protection from fraud losses, while a lack of compliance can result in monthly fines of thousands or tens of thousands of dollars per month. Unlike some compliance efforts with relatively small penalties that are unlikely to be applied, PCI compliance has significant financial implications with a high probability of impact.
PCI DSS 2.0 is being released today. Earlier, we took a look ahead at some issues around PCI in a piece that you can read here.
So, now that we are on the cusp of a new set of standards, what’s new? Read More »
Tags: pci, pci-dss, security, standards
Will PCI 2.0 Bring Virtual Relief to Real Questions?
PCI Data Security Standard (PCI DSS) 1.2.1, which is a set of standards for retail and other verticals that defines the requirements for security compliance, is relatively simple and straightforward. 12 requirements define the spirit and intent of the standard. These are good, common sense guidelines and best practices that are derived from decades of experience keeping customer data secure. However, there are areas where PCI DSS could do a better job of handling what has become common, well accepted practices; virtualization is one of those areas. Read More »
Tags: compliance, pci, pci-dss, security, virtualization