The requirements of PCI Software Security Framework are divided into two groups: Core requirements and Account data protection. The core requirements of secure software are applicable to all payment software, regardless of what the functions a]or underlying technologies are. Account data protection regards any application that stores, processes and/or transmits Sensitive Authentication Data (SAD) or Cardholder Data (CHD).
A direct consequence of the above definitions is that a PCI secure software may be allowed to store CHD where applicable according to the standards' requirements. This is the tricky point that is misunderstood by some organizations.
Friday, July 26, 2019
Wednesday, July 24, 2019
SELKS: Suricata IDS powered by the ELK
SELKS is a fantastic network-based intrusion detection system. It uses Suricata as the IDS engine, as well as the Elasticsearch/Logstash/Kibana (ELK) as the log management system. I've teste the 4th version, although today it's 5th version is stable. As I remember, installation of the VM distribution is straight, configuring the ELK subsystem is somehow tricky, while the other subsystems are easy to set up. You can enjoy pre-built dashboards, and also can build your own ones.
Tuesday, July 23, 2019
PCI SSF is more than a SDL
According to the PCI blog, ''Key security principles addressed in the Secure Software Standard include critical asset identification, secure default configuration, sensitive data protection, authentication and access control, attack detection, and vendor security guidance.'' That is, the SSF is more than the so-called Security Development Lifecycle (SDL). It includes all the standards and aspects that should be considered in a payment application regarding payment data security as well as how to validate and maintain the software.
Sunday, July 21, 2019
PCI Software Security Framework
PA-DSS, which has been longly recognized as the defacto standard for payment applications data security, will be replaced by the recently published standard ''Software Security Framework'' by the end of 2022. PA-DSS validation requests submitted by vendors will be accepted till June 2021. In a recent FAQ published on PCI SSC blog, the relationship between the new security framework and the PA-DSS standard has been explained as:
''The PCI Software Security Framework is separate and independent from PA-DSS. While the PCI Software Security Framework includes elements of PA-DSS, the Framework represents a new approach for securely designing and developing both existing and future payment software. PA-DSS was designed specifically for payment applications used in a PCI DSS environment. The PCI Software Security Standards extend beyond this to address overall software security resiliency. The PCI Software Security Framework is designed to support a broader array of payment software types, technologies, and development methodologies in use today and also support future technologies and use cases.''
In future posts, I will take a glance at SSF.
Subscribe to:
Comments (Atom)