PCI-DSS and how we messed up the scope
Reflecting on challenges of a recent PCI-DSS project for a client and the key learning points for an effective implementation People team challenges – having a team to champion the project When we...
View ArticlePCI-DSS – So Why Aren’t We QSA?
We have faced this question many times before over the course of 7 years working on PCI-DSS in this region. Many customers have asked us, why haven’t we become QSA (Qualified Security Assessor),...
View ArticlePCI-DSS v3.2 for ePetrol Services Sdn Bhd
Congratulations to ePetrol Services Sdn Bhd for being certified PCI-DSS v3.2 Level 1! ePetrol is a secure and reliable payment switch and service provider that offers a variety of payment solutions to...
View ArticlePCI-DSS IATA: Dissecting the New FAQs
A few significant things occurred this week for the IATA PCI-DSS Program, summarised below: a) We finally have a very clear way forward thanks to some clarifications direct from IATA, and in some parts...
View ArticleIATA PCI-DSS: Approaching the BSP Channels
First of all, Selamat Hari Merdeka (Independence Day), and congratulations Malaysia for hauling in a record number of SEA Games Gold Medals. So much so that our government has declared next Monday (4th...
View ArticleIATA PCI-DSS: Is GDS Client software a browser? Part 1
We are writing a fair bit on PCI-DSS for travel agencies simply because there is a deadline looming for them in March 2018 to become PCI compliant. While one might surmise there is still plenty of...
View ArticlePCI-DSS: SAQ A and SAQ A-EP differences in a nutshell
OK, we are tackling this wonderful subject for the second time. We have last year touched on this through this post. Unfortunately there are still so many questions on this, that we feel that we need...
View ArticleIATA PCI-DSS: Why your SAQs Matter
We have had a few discussions among consultants as we progress further into this compliance for our Travel Agency clients. And very often (if not always), the matter always comes down to, “Can we just...
View ArticleAlienvault: File Integrity Monitoring on Linux Part 1
If you have been deploying or troubleshooting Alienvault long enough, you would know a few things: Alienvault is one of the most flexible SIEMs in the market. It has the most varied security features,...
View ArticleAlienvault: File Integrity Monitoring on Linux Part 2
So based on our previous article you have so far set up OSSEC (or HIDS in Alien-speak) in your Linux host which you want to monitor. The next thing to do is to configure FIM to work. To recap, we …...
View ArticleIATA PCI-DSS: New FAQs!
So, it has been a while since we’ve updated on the ongoing PCI-DSS program from IATA. Just a brief recap then: Airlines have demanded that IATA support their own internal compliance project by making...
View ArticlePCI-DSS Segmentation with Host-Based Firewalls
One of the frequent queries we have faced in the past months as we ramp up our consultancy and advisory for travel agencies and other merchants, has been the question of segmentation. Now, before...
View ArticlePCI-DSS and the Pervasive Certification Myth
The pervasive certification myth is so pervasive in PCI-DSS that we are going to give it its own Acronym: PCM. Because we are so tired of having to explain this over and over, we are going to canonize...
View ArticlePenetration Testing and Vulnerability Scans
In our compliance services, oftentimes, we are tasked to assist our clients in security testing – either conducting those ourselves, or to verify previously conducted tests for compliance purposes....
View ArticlePCI-DSS: The Art of Getting By
The Art of Getting By is a movie that wasn’t very good. I don’t recall much of it, except the title was appropriate for this article. The general idea of PCI-DSS is that it’s easier to maintain the...
View ArticleProxies in PCI
A proxy server is a server that serves as an intermediary between the requester (a client PC for example) and the responder (typically the destination server). There are 3 types of proxy servers that...
View ArticlePCI and the art of scoping
A lot of people we have met had told us this: “Since we are ISO27001, PCI should be a piece of cake, right?” The context of this is because ISO27001 and PCI are often seen as distant cousins. They are...
View ArticlePCI-DSS: Business Not As Usual
Have you heard the phrase Too Long, Didn’t Read? What if this applies to your PCI DSS compliance program, rephrased to “Too administrative, didn’t’ do?”. We get this all the time in our meetings....
View ArticleThe Service Provider Challenge for PCI
While it’s very tempting as consultants to just sometimes approach a customer requiring PCI-DSS and after identifying all their service providers, declare: “I need all your service providers to also be...
View ArticleFAQ on SAQs Once Again
Over the past few months, we have been absolutely busy with a fair amount of work. One of the things that we have seen an uptick are merchants coming to us requesting PCI compliance. We have had some...
View Article
