I have tweeted a link to this article previously, but it worthwhile and bears repeating. Jeff Man has done an excellent job recapping both the changes found in DSS 3.2 but also the timing implications. This is required reading for everyone striving to maintain compliance as a merchant or service provider.
I am a strong supporter of BSides and am particularly sad that I am not in San Francisco participating this year. I am also sending a shout out to Jeff Man of Tenable and his presentation.
This is an excellent explanation of the changes announced by the Payment Card Council (PCI) concerning the use of SSL as a form of strong cryptography. Please take note of Mr. Man’s explanation and the impacts these changes will have on compliance efforts.
This is additional sound wisdom from Jeff Man at Tenable. You can never test security too much. I realize that many of us live in worlds with resource constraints, but you should always schedule and dedicate resources to testing and validation.
I am always a fan of Jeff Man’s take on the state of PCI, so this podcast is certainly worth a listen.
I was fortunate enough to work with Jeff a couple of years ago while he was still at AT&T. He was an excellent QSA and I quickly learned to value his opinion on several fronts in the realm of IT security. I believe he is on point in this article concerning cyber insurance. There is significant due diligence that must be performed beyond the potential check box of insurance and/or liability diversion. Cyber insurance certainly has value, especially in terms of cost off-sets for public relations needs associated with a breach, but it is not a magic bullet. It should be considered one tool in the cyber security tool box.