PCI DSS regulations remind me of Douglas Adams and deadlines.
"I love deadlines. I love the whooshing noise they make as they go by"
The Payment Card Industry Security Standards Council (PCI SSC) has issued a big update to its guidance on using payment cards with cloud computing services. A lot has happened in the cloud since 2013, when the last version was published. Which may explain why Wednesday’s version three hit 83 pages, 31 pages more than version …
On the subject of PCI, my local Sainsburys has added extra cameras to all of the self-service checkouts.
They're up above the checkout, and seem to be positioned to get a good view of what is being scanned and put into a bag. There's a screen next to them.
Thing is, they also perfectly capture the card reader, and even if they might not quite have the resolution to read the card number, you could certainly tell what PIN someone has typed in. I assume that this footage is being kept for at least some length of time.
I'm assuming whoever OK'ed them has never heard of PCI at all.
“All public-facing web applications must be protected, either by deploying an automated technical solution that detects and prevents web-based attacks or by employing application vulnerability security testing”
Say what now?! Explains a lot.
Dev: so we gonna get the Ninja App tested to make sure it’s secure?
Mgr: Nah, we’ll buy a WAF.
I’m always amazed how CDE scope magically shrinks after it’s realised the amount of work, cost and time it’s going to take to take the apparent ‘easy’ / ‘lazy’ option of just dropping it all in there! Take another look, where do those PANs go again.