When it comes to protected information security under PCI DSS, consistent purview over log data is the guidance. But it’s known that this objective is not as easy as it sounds. Organizations managing PCI data are supposed to review log data and periodically schedule an assessment to be completed by an outside party. However with today’s economy, and so much being asked of IT staff, I wonder if periodic review of sensitive data risk controls to comply with PCI DSS is adequate.
 

Continue Reading >>>

Organizations must track and monitor all access to cardholder data and related network resources – in stores, regional offices, headquarters, and other remote access.

Yes, it is well documented that the three (3) tenets for adhering to PCI DSS 2.0 are as follows:

Assess - Identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analyzing them for vulnerabilities that could expose cardholder data. Remediate - Fixing vulnerabilities and not storing cardholder data unless you need it. Report - Compiling and submitting required remediation validation records (if applicable), and submitting compliance reports to the acquiring bank and card.

Continue reading >>>

Using NISTIR 7628 and NISTIR 7756