Articles by 'Nancy Rand'

By Nancy Rand, Posted in Security

The PCI Council published a blog announcing the coming of PCI DSS version 4.0 at the end of March 2022 https://blog.pcisecuritystandards.org/countdown-to-pci-dss-v4.0. The blog contains a PCI DSS Version 4.0 Implementation timeline. The new standard document, the Summary of Changes v3.2.1 to 4.0 will be released along with the Report on Compliance ROC Template and Attestations of Compliance AOC documents at the end of March 2022. The Self-Assessment Questionnaires SAQs will be available shortly after. Tr... read more.

• March 17, 2022

By Nancy Rand, Posted in Security

In November, Troy Leach, Senior Vice President, Engagement Officer for the PCI Security Standards Council (PCI SSC), and Suzie Squier, President of the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC), discussed the protection of payment data during this holiday season.   https://blog.pcisecuritystandards.org/be-on-alert-this-holiday-season In October, the PCI SSC blog focused on their Work from Home Security Awareness Training, which is available from the council.... read more.

• November 29, 2021

By Nancy Rand, Posted in Security

The PCI Council has published a series of blogs on payment data security as part of their task force for small merchants.  Topics include: Back-to-Basics: Think Before You Click Back-to-Basics: Properly Configured Firewalls Back-to-Basics: Secure Remote Access Back-to-Basics: Use Strong Encryption Back-to-Basics: Keep Software Patched Back-to-Basics: Use Strong Passwords Back-to-Basics: Reduce Where Payment Data Can Be Found PCI SSC Shares Resources for Navigating Changing Payment Environmen... read more.

• September 08, 2021

By Nancy Rand, Posted in Infrastructure, Security

On August 5, 2021, the PCI DSS Council and the Cloud Security Alliance (CSA) issued a joint statement on the importance of cloud scoping. https://www.pcisecuritystandards.org/about_us/press_releases/pr_08052021 https://www.pcisecuritystandards.org/pdfs/PCI_Cloud_Security_Alliance_Cloud_Bulletin.pdf Best practices focus areas are discussed: Data protection, Authentication, Systems management, DevOps & DevSecOps, Data governance and Resiliency. These best practices are important to the security of clou... read more.

• September 02, 2021

By Nancy Rand, Posted in Security

The PCI Security Standards Council, PCI SSC, published a new version of the Secure Software Standard and its supporting program documentation on 4/29/2021. https://www.pcisecuritystandards.org/about_us/press_releases/pr_04292021 This version includes a new Terminal Software Module that contains requirements for software used on PCI-approved PIN Transaction Security (PTS) Point-of-Interaction (POI) devices. There are currently two other modules in this Standard: The “Core” module that contai... read more.

• May 18, 2021

By Nancy Rand, Posted in Infrastructure, Security

The Cloud Security Alliance released two new research documents to provide guidance on Cloud Incident Response and Consuming and Providing APIs. https://cloudsecurityalliance.org/artifacts/cloud-incident-response-framework/?utm_source=email https://cloudsecurityalliance.org/artifacts/security-guidelines-for-providing-and-consuming-apis/?utm_source=email Cloud Incident Response provides a framework for handling the lifecycle of a security incident in the cloud and discusses what information is shared inte... read more.

• May 18, 2021

By Nancy Rand, Posted in Security

The Cloud Security Alliance released their latest version of the Cloud Control Matrix (CCM) on 1/20/21. It is available from their website after answering a few questions. The mappings to Scope Applicability, Architectural Relevance, Corporate Governance Relevance, Cloud Service Delivery Model Applicability, Supplier Relationship, are not yet available, but the CSA has released the matrix to assist organizations to prepare to upgrade to version 4. https://cloudsecurityalliance.org/research/cloud-controls-m... read more.

• January 22, 2021

By Nancy Rand, Posted in Security

When preparing to securely work from anywhere, it is tantamount that a zero trust policy be adopted. Locations and assets are not to be inherently trusted. A system of policies and software are needed to protect from malicious intent.  In August 2020, NIST published SP 800-207, the final version of their Zero Trust Architecture. It is available for download from: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf The tenets of zero trust are presented in section 2.1. They are... read more.

• October 05, 2020

By Nancy Rand, Posted in Security

NIST and the PCI DSS Council have both published software development frameworks. PCI DSS published a blog today highlighting an interview between Kevin Stine, Chief of the Applied Cybersecurity Division at NIST and Troy Leach, SVP, Engagement Officer at PCI SSC.  This blog discusses the importance of secure software development and contains links to additional information. https://blog.pcisecuritystandards.org/nist-and-pci-ssc-find-common-ground-in-development-of-software-frameworks Additionally, Th... read more.

• September 11, 2020

By Nancy Rand, Posted in Security

NIST published links to GDPR and ISO crosswalks to the NIST Privacy Framework. These are published by Microsoft (for ISO/IEC 27701) and the Enterprivacy Consulting Group (for the GDPR-Regulation 2016/679). https://www.nist.gov/privacy-framework/resource-repository/browse/crosswalks/gdpr-crosswalk-enterprivacy-consulting-group https://www.nist.gov/privacy-framework/resource-repository/browse/crosswalks/isoiec-27701-crosswalk-microsoft Each spreadsheet provides a mapping between the framework and the GDPR... read more.

• July 23, 2020