header
header
header

Summing It Up

Keeping you ahead of the curve with timely news & updates.


Justin Bonk

Recent Posts

PCI DSS 3.2 Req 6.4.6 - Views on Updating PCI DSS Compliance Programs Upon Significant Changes to a Cardholder Data Environment

If you are classified as a merchant or service provider, anytime you make a significant change to your cardholder data environment, you are required to ensure that all relevant PCI DSS requirements have been applied to that change. This means adding an extra step of analyzing any PCI DSS requirements that apply to that change and documenting how you've ensured that those requirements have been applied like updating network diagrams or data flow diagrams.

Click to see a short video on PCI DSS 3.2’s Section 6.4.6 requirements

PCI DSS 3.2 Req. 6.4.6

 

Freed Maxick 6.4.6 Guidance   

PCI DSS is a rolling and perpetual standard which requires organizations to approach any chances to their environment with compliance considerations in mind. Any significant changes to the PCI CDE (Cardholder Data Environment) may require additional scrutiny on the creation of documentation or reviews of system configurations.

 

PCI DSS Resources 

For additional insights and guidance on 6.4.6 compliance and other PCI DSS requirements, read our blog post and get a downloadable overview of all recent updates and revisions.

Freed Maxick services for PCI DSS Compliance can be found here. If you wish for a more detailed discussion of your organization’s situations and needs, contact us or call me at 716.847.2651

View full article

PCI DSS 3.2 Req 8.3.1 - Views on Multi-Factor Authentication

If you're classified as a service provider or merchant, you're required to implement multi-factor authentication for any non-console administrative access into your cardholder data environment . There are multiple ways this can be accomplished, and you should consult with your QSA about the most appropriate way for you and your company to make it happen.

Click to see a short video on PCI DSS 3.2’s Section 8.3.1 requirements

PCI DSS 3.2: Req. 8.3.1

 

Freed Maxick 8.3.1 Guidance   

Multi-factor authentication is a means to confirm a user’s claimed identity through knowledge, something they and only they know as well as possession, something they and only they have. MFA creates a defense mechanism which makes it more difficult for hackers or unauthorized users to access system resources.

 

PCI DSS Resources 

To receive more insights and guidance on 8.3.1 compliance and other PCI DSS requirements, read our blog post and get a downloadable overview of all recent updates and revisions.

Freed Maxick services for PCI DSS Compliance can be found here. If you wish for a more detailed discussion of your organization’s situations and needs, contact us or call me at 716.847.2651

View full article

PCI DSS 3.2 Req 10.8 and 10.8.1 - The Process for Detecting, Reporting, and Responding to Failures in Security Mechanisms

If you're classified as a service provider you need to implement policies and procedures, and response mechanisms for addressing any failures in critical security mechanisms including firewalls, intrusion detection systems, intrusion prevention systems, and antivirus file integrity management systems.

Click to see a short video on PCI DSS 3.2’s Section 10.8 and 10.8.1 requirements

PCI DSS Req. 10.8 and 10.8.1

 

Freed Maxick 10.8 / 10.8.1 Guidance   

Policies and procedures should be reviewed and updated in the event of process changes and should accurately reflect the organization’s current PCI environment. Detection mechanisms should be configured appropriately to alert trained and qualified personnel in the event of critical security control failure. 

Critical security control failures should be responded to as soon as possible. Any lag time in response or remediation can lead to unauthorized control of system resources, data leakage, or the installation of malicious software. It is necessary that documentation is prepared to support security failure response from an employee and system level perspective.

 

PCI DSS Resources 

To receive more insights and guidance on 10.8 and 10.8.1 compliance and other PCI DSS requirements, read our blog post and get a downloadable overview of all recent updates and revisions.

Freed Maxick services for PCI DSS Compliance can be found here. If you wish for a more detailed discussion of your organization’s situations and needs, contact us or call me at 716.847.2651.

 

View full article

PCI DSS 3.2 Req 11.3.4.1 - Views on Semi-annual Penetration Testing

If you are a service provider that uses network segmentation to reduce the overall scope of your PCI DSS assessment, what was formerly an annual requirement to obtain a penetration test is now a semi-annual requirement meaning it must be done every six months.  Make sure to reach out to your QSA to ensure that you are compliant with this timing requirement. 

Click to see a short video on PCI DSS 3.2’s Section 11.4.3.1 requirements 

PCI DSS 3.2 Req. 11.3.4.1

 

Freed Maxick 11.3.4.1 Guidance   

Organizations should schedule penetration tests in advance to meeting the timing restriction of this requirement. An experienced and qualified penetration tester independent of the organizational unit should be consulted to perform this assessment to validate and confirm the scope of the cardholder data environment

 

PCI DSS Resources 

For more guidance on 11.4.3.1 compliance and other PCI DSS requirements, read our blog post that includes a downloadable overview of all recent updates and revisions.

Freed Maxick services for PCI DSS Compliance can be found here, but for a more detailed discussion of your organization’s situations and needs, contact us or call me at 716.847.2651.

View full article

PCI DSS 3.2 Req 12.4.1 - Views on Establishing Responsibility for the Protection of Cardholder Data

If you're classified as a service provider, you are required to formally establish the overall responsibility for PCI compliance and the protection of cardholder data. Your PCI DSS Charter should be approved by executive management at least annually and anytime that there are major changes to your organization.

Click to see a short video on PCI DSS 3.2’s Section 12.4.1 requirements.

 

 

 

Freed Maxick 12.4.1 Guidance   

Establishing authority and responsibility for a PCI program within an organizational is an essential step in maintaining compliance. Aligning strategy with explicit requirements allows for increased level of cybersecurity and protection of sensitive customer data. Executive management’s role in PCI compliance promotes a more holistic approach to data security

 

PCI DSS Resources 

For more guidance on 12.4.1 compliance and other PCI DSS requirements, read our blog post that includes a downloadable overview of all recent updates and revisions.

An overview of Freed Maxick services for PCI DSS Compliance can be found here, and for a more detailed discussion of your organization’s situations and needs, contact us here or call me at 716.847.2651.

View full article

PCI DSS 3.2 Req 12.11 and 12.11.1 - Views on Performing Quarterly Reviews and Maintaining Documentation of Quarterly Review Process

If you're classified as a service provider, you are required to implement a process for internal quarterly review of critical security procedures to ensure those procedures are operating effectively. You also need to perform and maintain documentation of the quarterly review process.

Click to see a short video on PCI DSS 3.2’s Section 12.11 and 12.11.1 requirements. 

 

 

Freed Maxick 12.11 and 12.11.1 Guidance   

Quarterly reviews of PCI procedures help to promote accountability within the organization. It is essential to document the results of all quarterly reviews and train employees to be familiar with specific PCI requirements. Retaining appropriate documentation and evidence of quarterly reviews helps to support the completion of required PCI DSS procedures.

 

Our PCI DSS Resources 

For more guidance on this issue and other PCI DSS requirements, read our blog post on new requirements for 2018, and see an overview of Freed Maxick PCI DSS Compliance services here. 

For a more detailed discussion of your organization’s situations and needs, contact us here or call me at 716.847.2651.

 

View full article

PCI DSS 3.2 Req 3.5.1 - Views on Documented Cryptographic Architecture

If you're classified as a service provider, you're required to maintain a documented description of your cryptographic architecture including any cryptographic algorithms security protocols and keys, including the keys specific to usage expiration date and strength

Click to see a short video on PCI DSS 3.2’s Section 3.5.1 requirement.

 

Freed Maxick 3.5.1 Guidance   

Relative to documented cryptographic architecture, our recommendation is that organizations who are subject to PCI DSS compliance should take proactive steps to maintain an up to date listing of cryptographic tools being utilized to protect cardholder data.

 

PCI DSS Resources 

For more guidance on this issue and other PCI DSS requirements, read our blog post on new requirements for 2018 that includes a downloadable overview of all recent updates and revisions.

 

An overview of Freed Maxick services for PCI DSS Compliance can be found here. For a more detailed discussion of your organization’s situations and needs, contact us here or call me at 716.847.2651.

……………………………………………………

 

View full article