Companies recertifying for the second or third year of PCI compliance are having a rough go of things as of late. A combination of the latest clarifications within the revised PCI DSS standard, along with the recent scoring matrix that compels assessors to ensure they have done a thorough job as part of the review, have caught an unfortunate number [continue]

As noted, poor password management trumps strong security technology every time. Any bets on how long before google *requires* strong passwords? Both are victims, both share blame. A side note about this hack is that it highlights the trust relationships (and residual risk) that business partnerships impart upon each other.

A number of dynamics are at work that have made attaining PCI compliance a more difficult proposition over previous years. The guidance assessors are receiving from the PCI Council is that evidence must be provided that demonstrates your Infosec program is in place and functioning as designed. Expect to respond to requests for multiple change records that cover [continue]