6 min
PCI
Enforce and Report on PCI DSS v4 Compliance with Rapid7
The PCI Security Standards Council (PCI SSC) is a global forum that connects stakeholders from the payments and payment processing industries to craft and facilitate adoption of data security standards and relevant resources that enable safe payments worldwide.
3 min
PCI
How PCI Compliance Helps Keep Your App’s Credit Card Data Safe
In this blog, we break-down why you and your organization should be committed to the Payment Card Industry Data Security Standard (PCI DSS, or PCI).
3 min
InsightIDR
Utilize File Integrity Monitoring to Address Critical Compliance Needs
To help organizations address their compliance auditing needs, we are excited to introduce file integrity monitoring (FIM) for InsightIDR.
2 min
Compliance
The British Airways Breach: PCI is Not Enough
Magecart's techniques are sophisticated and worth understanding in detail, especially because they point out a major gap that occurs even with perfect PCI compliance.
4 min
InsightIDR
PCI DSS Dashboards in InsightIDR: New Pre-Built Cards
No matter how much you mature your security program
[https://www.rapid7.com/fundamentals/security-program-basics/] and reduce the
risk of a breach, your life includes the need to report across the company, and
periodically, to auditors. We want to make that part as easy as possible.
We built InsightIDR [https://www.rapid7.com/products/insightidr/] as a SaaS SIEM
[https://www.rapid7.com/fundamentals/siem/] on top of our proven User Behavior
Analytics (UBA) [https://www.rapid7.com/solutions/user-
2 min
Nexpose
Maximizing PCI Compliance with Nexpose and Coalfire
In 2007 Coalfire selected Rapid 7 Nexpose as the engine around which to build
their PCI Approved Scan Vendor offering. PCI was just a few years old and
merchants were struggling to achieve and document full compliance with the
highly proscriptive Data Security Standard. Our goal was to find that classic
sports car blend of style and power: a vulnerability assessment solution that
was as streamlined and easy to use as possible, but robust enough to
significantly improve the customer's security.
2 min
Compliance
Top 3 Takeaways from the "PCI DSS 3.0 Update"
In this week's webcast, Jane Man [/author/jane-man] and Guillaume Ross
[/author/guillaume-ross] revisited the latest PCI DSS 3.0 requirements. Security
professionals need to be diligent to remain compliant and secure. Jane and
Guillaume discussed some key results from the Verizon 2015 PCI Compliance
Report, tips and tricks for complying with requirements 7, 8, and 10, and
touched upon upcoming changes in v3.0 and v3.1. Read on for the top 3 takeaways
from the “PCI DSS 3.0 Update: How to Restrict
2 min
Metasploit
Creating a PCI 11.3 Penetration Testing Report in Metasploit
PCI DSS Requirement 11.3 requires that you "perform penetration testing at least
once a year, and after any significant infrastructure or application upgrade or
modification". You can either conduct this PCI penetration test in-house
[/2011/10/20/pci-diy-how-to-do-an-internal-pentest-to-satisfy-pci-dss-requirement-113]
or hire a third-party security assessment. Metasploit Pro offers a PCI reporting
template, which helps you in both of those cases. If you are conducting the
penetration test in
1 min
PCI
PCI Compliance Dashboard - New version including SANS Top20 Critical Security Controls
Hi,
According to what we are hearing from the field, there are quite a big number
out there of active users of this PCI Compliance Dashboard. Encouraged by your
feedback and your assitance we worked on this new release. Among other great
enhancements it encompasses references to the SANS Top 20 Critical Security
Controls. A deeper analysis paper on PCI-SANS matching and deviation areas will
follow but for now on, enjoy this new version of the PCI Compliance Dashboard.
What's New?
* Add a tabl
2 min
Metasploit
PCI DIY: How to do an internal penetration test to satisfy PCI DSS requirement 11.3
If you're accepting or processing credit cards and are therefore subject to PCI
DSS, you'll likely be familiar with requirement 11.3, which demands that you
"perform penetration testing at least once a year, and after any significant
infrastructure or application upgrade or modification". What most companies
don't know is that you don't have to hire an external penetration testing
consultant - you can carry out the penetration test internally, providing you
follow some simple rules:
* Sufficie
1 min
PCI
What to do if your organization can't demonstrate four passing PCI internal or external scans
Two cases:
1) Your company is assessed for the first time:
Entities participating in their first ever PCI DSS assessment are only required
to demonstrate that the most recent scan result meets the criteria for a passing
scan, and there are policies and procedures in place for future quarterly scans,
to meet the intent of this requirement. So to be compliant with 11.2 the first
time you are assessed, you only need to demonstrate that the most recent scan is
a PASS.
2) Reassessment (from th
2 min
PCI
PCI Newsletter #2 - Payment Processing Terminology and Workflow
Hi Everyone,
This is our second PCI 30 sec newsletter.
One cannot move through the PCI ecosystem without basic understandings of the
payment processing terminology and workflow. So let's have a look behind the
scene.
The payment processing terminology
In a nutshell, the payment transaction could be depicted as follow:
We have cardholders that make payment card purchases from merchants, merchants
that send payment transaction data to their acquirers, and acquirers that send
payment transacti