What is Toluu?
Toluu is a free service for sharing the feeds you read and discovering new ones.		 Get Invite

PCI DSS Compliance Demystified

PCI DSS and Regulatory Compliance Blog


Cloud Computing and PCI - VM Image SprawlYesterday

Randy Bias posted a link about virtual machine (VM) image sprawl.  Just like the housing sprawl of cities, there appears to be a dramatic increase in the number of VM images being created.  This could impact regulatory issues such as PCI compliance because the Cardholder Data Environment is now more flexible than ever.

Andrew notes:

Main takeaway is the 12% month-over-month growth of AMIs from 11/24 to 12/24. That’s pretty amazing when you consider this is the public images only.

Private images might range somewhere between 10 and 100x public images.

Companies once trying to manage the risk with storing, process, or transmitting payment card information are now struggling to contain their systems that manage this data.  Most companies contain these systems within what is commonly referred to as the Cardholder Data Environment (CDE).  With many traditional companies this is a static area comprised of servers, routers, firewalls, point of sale devices, and payment processing engines.  The rise of cloud computing and virtualization could change that.

The advent of virtualization has been a big benefit to companies that need dynamic growth, especially in times of increased or decreased utilization.  It is commonly known that ma

Society 2009 Training DatesYesterday

The Society of Payment Security Professionals (SPSP) announced their 2009 training dates for the CPISM and CPISA certifications.  The Society has partnered with Intense Schools to provide CPISM/CPISA Training and Certification throughout the US.

You can register for the CPISM or CPISA (which is more comprehensive and includes the CPISM materials.)  The following is a list of guidelines for which is best for you:

  • CPISM - You are new to the Payments Industry or looking for a boot camp that will inform you on all areas of compliance, risk management, enforcement, PCI, and state and national laws.
  • CPISM - This includes all of the above materials but also goes deep into the PCI DSS Requirements 1-12, information security, and audit processes.

In addition to the dates, we will also be hosting a Secure Payments PCI Day on June 8, 2009.  This will precede the CPISM/A classes in Redwood City, CA (USA).

[Slashdot]
Society going globalDecember 26 2008

Even though we have already trained thousands of merchants, acquiring banks, and service providers in many countries around the world, we have not yet trained these groups in Africa - until now.

The Society of Payment Security Professionals (SPSP) is both attending and presenting an educational PCI conference in Johannesburg, South Africa.  This event will be 27 January 2009 at the Hyatt Regency Hotel. The Society will expand the current educational, training, association and certification opportunities to participants from South Africa.

I met a friend last year who attended one of the PCI training sessions we put on in Prague.  He said, “this is the kind of training we need in South Africa.”  That conversation and many other fortunate events have brought the Society to ZA.  I’m excited about this event because over the past year Africa has put itself on the map as a place for more secure payments.  In addition to South Africa, merchants and banks from other countries have become interested in the Payment Card Industry.  These countries include: Egypt, Algeria, and even Rwanda.

Also, the Society will also be keynoting the ITWeb Security Summit in Johannesburg on 26-28 May 2008.

(In addition to these inter


PCI already addresses VirtualizationDecember 9 2008

I’ve written about how PCI already addresses virtualization here, here, and here.  A recent article discusses how PCI needs to address this technology.  My question is why?  Does PCI also need to clearly outline how you should use HSMs, IDS, FIM, user authentication, and firewalls?  Where do we stop?

Some people often complain about how specific the PCI DSS standard is and that it should be more generic to enable flexibility.  But when it comes to technologies they wish to promote, suddenly it is not specific enough.  Why are the current requirements not enough?  I did a podcast on PCI compliance for cloud computing environments and outlined the current rules that already address virtualization.  Instead of pushing for more information around one technology, which will surely change over time, how about simply clarifying the current requirements, such as 2.2.1 the infamous and misused “only one primary function per device”.

I like less complexity and not more.  If the PCI Council did start a SIG on virtualization then there would be an

Payment Security Professional of the Year NominationsDecember 9 2008

I can’t belive the year is almost over.  The Society of Payment Security Professionals (SPSP) has seen great success with a membership of almost 500 and several hundres of those being certified CPISM and CPISA individuals.  The Society board members have put together working groups on Application Security, Network Segmentation, and Legal Issues. Each of these groups is made up on individuals who work to help raise the awareness and clarity on these issues.

The PCI Answers blog had about 200,000 hits.  We keep getting a stream of emails and phone calls for more information and clarification.

Since you have made the Society such great success, we’ve decided to give back to you!  That’s right, the Society is now taking nominations for the Payment Security Professional (PSP) of the year.  Nominations will be collected over the next six weeks and the winner will be chosen by Advisory Board and announced on January 30, 2008.  Here is what you could win:

  • 15 in MacBook Pro
  • Feature article in Secure Payments, the SPSP magazine set to debut in Q1 2009.
  • Highlighted profile on the Payment Security P