The current version of the PCI DSS is 3.2.1, published in May 2018. Requirement 6 states that you must “Develop and maintain secure systems and applications.” Sure, no problem. That’s totally clear and straightforward — at least for anyone who’s never tried to develop and maintain secure systems and applications! For the rest of us, that’s a tall order. Read more “How to Address PCI DSS Requirement 6.6 — A Two-For-One Solution From Threat Stack”
PCI DSS stands for Payment Card Industry Data Security Standard. These standards are in place to help businesses protect themselves and their customers by outlining how sensitive personal information, like credit card data, gets stored. If you process payments using debit or credit cards, you must meet PCI DSS, or you might be fined or have your ability to process cards revoked altogether. Read more “PCI Compliance Checklist”
This post explains how the PCI Security Standards Council has introduced its new PCI Software Security Framework to align PCI with modern software development and deployment practices such as DevOps, microservices, and containers.
Read more “New PCI Standards for New Ways of Building Software”
A Definition of AWS PCI Compliance,
Benefits, Requirements, & More
If your organization processes credit or debit card payments, PCI compliance is essential. If you are a merchant of any size accepting credit cards, you must be in compliance with PCI Security Standards. In this post, I’m going to walk you through what you need to know about AWS PCI compliance to ensure compliance in the cloud. Read more “What is AWS PCI Compliance?”
Compliance processes have a reputation for being expensive, time-consuming, and fraught with difficulties — and sometimes certifications are looked upon with skepticism. However, most of the PCI requirements are common sense, best practices that any organization that is concerned with security should adopt. At MineralTree, we use Threat Stack to mitigate security threats. Additionally Threat Stack helps us adhere to PCI requirements and document our compliance.
Let me explain . . .
We write about compliance (and talk to customers about it) pretty regularly, and if you’ve been following our blog over the last two months, then you know we also just did a full series on the topic. In addition, we released the The Threat Stack Compliance Playbook that’s full of practical information you can use to help your company achieve compliance without losing your sanity.
When companies prepare to meet compliance, whether it’s PCI DSS, HIPAA, or SOC 2, one thing that can be estimated inaccurately is the stakeholders who need to be involved — who they are, what departments they come from within your organization, what their roles are, what knowledge and skill sets they require, how long they’ll be needed, etc. This post is intended as a practical guide to help you develop a thorough and realistic resource plan for your next compliance audit.
Have you heard one about the bear and the two hikers?
A bear jumps out of the bush and starts chasing two hikers. They both start running for their lives, but then one of them stops to put on his running shoes.
The first hiker says, “What are you doing? You can’t outrun a bear!”
The second hiker replies, “I don’t have to outrun the bear; I only have to outrun you!”
Compliance works in a similar way. You don’t need to be the most compliant company; you just need to meet the requirements well enough to satisfy regulators, auditors, customers, and stakeholders. And, ideally, you want to be more compliant than your competitors. That’s how you outrun the bear (err… win the customer.)
When’s the last time someone made an unauthorized change to your system files?
To answer this and other important security questions, as well as to meet many compliance requirements, you first need to have file integrity monitoring. In case you aren’t familiar with the term, file integrity monitoring (sometimes abbreviated to FIM) is the method for knowing exactly when and how your files are being changed at any moment in time. This includes critical system files, configuration files, and content files.
Companies can easily underestimate the investment required to meet compliance. Thinking compliance is a one-and-done activity that you can skate by with minimal spend only sets you up for unpleasant surprises later on. Compliance can be a long, drawn-out process, involving HR, finance, security, leadership, and others. So it’s important to look at all the costs up front in order to set aside a realistic budget.
A good way to approach compliance is to treat it like a new product launch. You’ll need a dedicated project team, new technology, a reasonable budget, and more to get it off the ground.