PCI Compliance

Detecting Credit Cards, SSNs and other Sensitive Data on UNIX/Linux Systems

by Paul Asadoorian on June 16, 2014

Nessus, Nessus Enterprise and Nessus Enterprise Cloud users can now remotely scan UNIX and Linux systems for the presence of sensitive information such as credit/debit card numbers, SSNs, company confidential information, and more. What Can I Discover? New configuration auditing capabilities have been added for Nessus users to remotely check UNIX and Linux systems for the presence of sensitive information. This capability has been available on Windows systems for some time; you can refer to the blog post titled " Detecting Credit Cards, SSNs and other Sensitive Data at rest with Nessus " for...

Tenable Network Security Validated for PCI DSS 3.0 for VMware

by Manish Patel on June 10, 2014

Today, we announced that all Tenable solutions have been validated by Coalfire for use in VMware environments for Payment Card Industry Data Security Standard (PCI DSS) version 3.0, the latest version of the standard. You may be wondering – Well, what does it mean to me? Any organization that transmits, processes, or stores payment card data must comply with PCI DSS 3.0 requirements by Jan 1, 2015. However, PCI guidance is written to be vendor agnostic and organizations must interpret the requirements and map these requirements to vendor solutions. Virtualization software adds further...

Best Practices for PCI, Cybersecurity Protection (Part II): Encryption and Tokenization

by Jeffrey Man on May 12, 2014

Posted originally on Wired, InnovationInsights blog For my fifth and final installment of this blog series, I’d like to spend some time talking about the pros and cons of two technology solutions which promise to offload most if not all of the burden of PCI compliance for merchants large and small. The goal is to create an environment where properly implemented, these solutions would greatly reduce the “footprint” of payment card data that makes a merchant subject to Payment Card Industry (PCI) Data Security Standard (DSS) compliance in the first place. Don’t Miss the Cybersecurity forest for...

Five 'Truths' About PCI Compliance and Cybersecurity

by Jeffrey Man on April 28, 2014

Posted originally on Wired, InnovationInsights blog In my last blog, I dispelled three common misconceptions about the Payment Card Industry (PCI) Data Security Standard. And to lend further insight about PCI — especially with regard to its impact upon your cybersecurity assurance — I’d like to share five "truths" that you must know about your approach to cybersecurity and PCI compliance: Never separate PCI compliance from your overall security efforts. Many organizations make the mistake of putting PCI in some kind of box, practically removed from the security program. But PCI is a data...

The Truth Behind Three PCI 'Myths'

by Jeffrey Man on April 22, 2014

Posted originally on Wired, InnovationInsights blog In Part I of this series of posts, I examined how retailers face immense challenges with respect to their cybersecurity posture but don’t often focus on the important elements. For starters, they will spend an inordinate amount of time struggling to "reduce the scope" of their enterprise that needs to comply with the Payment Card Industry (PCI) Data Security Standard. Then, when they are found to be compliant, they too often discover (the hard way) that their bare minimum approach to PCI compliance has left them still vulnerable to exploits...

Cybersecurity Is About Attitude, Culture -- Not Strictly Compliance

by Jeffrey Man on April 10, 2014

Posted originally on Wired, InnovationInsights blog How do you avoid becoming the Next Big Retail Breach Target? There are plenty of points — and counterpoints — on the topic. As a cybersecurity professional who has specialized in compliance with the Payment Card Industry (PCI) Data Security Standard for more than a decade, I have a great deal of thoughts to share. So consider this the first of a five-part blog in which I’ll lend my perspective about the state of systems protection in the retail industry — and how to safeguard your business. In all that I’ve read, there’s too much emphasis on...

Nessus Perimeter Service Wins Global Excellence Award for PCI Compliance

by Jeffrey Man on March 7, 2014

Tenable Network Security was recognized at the 10 th Annual Info Security Industry’s Global Excellence Awards dinner held last week in San Francisco. Nessus®/ Nessus Perimeter Service™ received a Global Excellence Award in the PCI Compliance Category. The Info Security Products Guide recognizes that over two-thirds of all PCI-Certified Approved Scanning Vendors (ASV) use Nessus, making Nessus the preferred vulnerability scanning solution for those companies that provide compliance validation services. The Nessus vulnerability scanner boasts a continuously-updated library of more than 60,000...

Tenable Launches “Straight Talk About PCI” Discussion Forum

by Jeffrey Man on December 19, 2013

Have you ever tried to navigate the PCI website and gotten lost and confused? Are you part of the 99% of companies that must traverse the PCI Compliance landscape as part of the “Self-Assessment” or “do-it-yourself” crowd? Have you been overwhelmed by vendor claims of “PCI made easy” or “PCI Compliance in 10 minutes” or “PCI in a Box”? Does it bother you that the answers to your questions are often tied to the product/solution the vendor is selling? Are you the one with a burning question, but can’t seem to find the right person to ask? Have you asked the question and gotten the trademark “...

What's Wrong with P2PE

by Jeffrey Man on October 31, 2013

The Payment Card Industry Security Standards Council announced at the European Community Meeting in Nice, France the first validated Point-to-Point Encryption (P2PE) solution . The P2PE application/solution validation programs were first introduced by the PCI SSC over two years ago, so while some might say “it’s about time a solution was validated” it at least appears that the P2PE validation program is quite challenging and complex. European Payment Services (EPS), being the first company to have a solution listed, should be commended.

Upping the Ante: Tenable’s Log Correlation Engine Now Standard in SecurityCenter Continuous View

by Allan Carey on April 18, 2013

After a very successful launch of SecurityCenter Continuous View (CV) last year, Tenable has further enhanced the analytical power and value of SecurityCenter CV with the addition of Tenable’s Log Correlation Engine (LCE) as a standard component of the solution. Today’s announcement highlights the addition of LCE to SecurityCenter CV which brings together vulnerability management, compliance reporting, and security information and event management (SIEM) into a single, integrated security and compliance intelligence platform. LCE provides the ability to import logs from hundreds of devices...