An interesting post from blog.elementps.com on the difficulties of franschise models and their impact on the paths of responsibility for PCI DSS compliance.

From a branding standpoint, franchisors have a lot to lose if one of their franchisees falls victim to a breach.  Depending on the level of media attention the breach garners, one for a store in downtown Philadelphia has the potential to negatively affect the brand – and, arguably, sales— across the state, regionally or even nationally.

The interesting thing with franchising and PCI DSS is that while franchisees may have individual merchant accounts with the bank (and therefore be responsible for their own reporting) the impact of a breach on the franchisers compliance may come up for question if a breach was to occur, as well as the inevitable brand reputation loss…

I’d be interested to here any feedback from the field on the topic.

Related articles by Zemanta

• PCI DSS Myths 2009: Myths and Reality (slideshare.net)
• ProPay to Host 2010 Data Security Summit (eon.businesswire.com)
• Why Businesses need to be PCI Compliant (wealthyways4you.com)
• Goodbye PCI – Hello Encryption and Data Loss Prevention Products (pindebit.blogspot.com)
• 2010 Compliance Laws (deurainfosec.com)

Found a very neat and succinct way of defining the difference between VA and Pentesting.

During a vulnerability assessment an environment is assessed to determine if known vulnerabilities can be identified. Penetration testing goes a step further by attempting to exploit these identified vulnerabilities.

The difference between the two, in terms of identifying a need within an organization, is that vulnerability assessment can be achieved using automated tools, whereas penetration testing generally can not.

Why this is important is that vulnerability assessment and penetration testing are addressed as separate requirements of the PCI DSS… Doing a VA will not address the pentesting requirement, and vice versa.

Related articles by Zemanta

• Metasploit Project Sold To Rapid7 (news.slashdot.org)
• The 20 Coolest Jobs in Information Security (q-ontech.blogspot.com)

I’m continually amazed at how often HIPS is confused with FIM. I guess I shouldn’t be.

Here’s a simple definition:

File Integrity Monitoring (FIM): FIM established a baseline value for the content, presence, and permissions of files on a system (application, binaries, config files, documents – they are ALL FILES). If a change is detected, an alert is raised. Examples of FIM are Samhain, McAfee PCI Pro (formerly Solidcore), Osiris, Tripwire, and nCircle CCM.

Host Intrusion Prevention System (HIPS): HIPS’s are in essence the same as Network Intrusion Detection/Prevention Systems except that they run on hosts. This is useful when you have, for example, point to point IPSec tunneling between your servers which would stop a NIPS/NIDS from detecting anything inside the tunnel (NIPS/NIDS are all but useless is the traffic they are monitoring  is encrypted). Examples are Snort, and just about all of the anti-virus vendors “End point” product now include some sort of HIPS.

This is the REALLY important part if the only reason your are interested is to comply with the PCI DSS:

HIPS will NOT get you compliant with PCI DSS 11.5 Deploy file-integrity monitoring software to alert personnel to
unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

Just the same…

FIM will NOT get you compliant with PCI DSS 11.4 Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic in the cardholder data environment and alert personnel to suspected compromises. Keep all intrusion-detection and prevention engines up-to-date.

Related articles by Zemanta

• Facebook Joins with McAfee to Clean Up Malware on Site (bits.blogs.nytimes.com)
• Security through diversity (cdixon.org)
• Ingenico Unveils Strategy to Provide Secure End-to-End Solutions for Merchants in North America (pindebit.blogspot.com)