For those of you looking for my posts grouped into a series based on topic, here is your page.
Network Segmentation Series
- Network Segmentation – https://pciguru.wordpress.com/2009/02/15/network-segmentation/
- Network Segmentation – Take 2 – https://pciguru.wordpress.com/2010/03/06/network-segmentation-%E2%80%93-take-2/
- Network Segmentation – One Last Discussion – https://pciguru.wordpress.com/2011/01/09/network-segmentation-%E2%80%93-one-last-discussion/
Multi-Protocol Labeled Switching (MPLS) Series
- The ‘MPLS Is A Private Network’ Debate – https://pciguru.wordpress.com/2009/04/18/the-mpls-is-a-private-network-debate/
- An Update On The MPLS Privacy Debate – https://pciguru.wordpress.com/2011/04/18/an-update-on-the-mpls-privacy-debate/
- The MPLS Privacy Debate Continues – https://pciguru.wordpress.com/2011/10/22/the-mpls-privacy-debate-continues/
Cloud Series
- The Amazon Cloud and PCI Compliance – http://https://pciguru.wordpress.com/2012/10/02/the-amazon-cloud-and-pci-compliance/
- Cloud Computing and PCI Compliance – https://pciguru.wordpress.com/2009/10/15/cloud-computing-and-pci-compliance/
- More On “The Cloud” and PCI Compliance – https://pciguru.wordpress.com/2011/01/15/more-on-%E2%80%9Cthe-cloud%E2%80%9D-and-pci-compliance/
Encryption Series
- End-To-End Encryption – The Rest Of The Story – https://pciguru.wordpress.com/2011/07/24/end-to-end-encryption-%E2%80%93-the-rest-of-the-story/
- Tokenization – https://pciguru.wordpress.com/2011/08/05/tokenization/
- Encryption Basics – https://pciguru.wordpress.com/2012/01/01/encryption-basics/
- Hashing Basics – https://pciguru.wordpress.com/2012/01/08/hashing-basics/
- Encryption Key Management Primer – Requirement 3.5 – https://pciguru.wordpress.com/2012/01/15/encryption-key-management-primer-requirement-3-5/
- Encryption Key Management Primer – Requirement 3.6 – https://pciguru.wordpress.com/2012/01/28/encryption-key-management-primer-requirement-3-6/
Europay/MasterCard/Visa (EMV)
- The Chip And PIN Debate – Part 1 – https://pciguru.wordpress.com/2010/08/15/the-chip-and-pin-debate-%E2%80%93-part-1/
- The Chip And PIN Debate – Part 2 – https://pciguru.wordpress.com/2010/08/16/the-chip-and-pin-debate-%E2%80%93-part-2/
- The Chip And PIN Debate – Part 3 – https://pciguru.wordpress.com/2010/08/17/the-chip-and-pin-debate-%E2%80%93-part-3/
- The Chip And PIN Debate – Part 4 – https://pciguru.wordpress.com/2010/08/19/the-chip-and-pin-debate-%E2%80%93-part-4/
- A Carrot For Chip And PIN – https://pciguru.wordpress.com/2011/08/13/a-carrot-for-chip-and-pin/
- The (EMV/Contactless) World According To Visa – https://pciguru.wordpress.com/2011/09/23/the-emvcontactless-world-according-to-visa/
- Why The Push For EMV Adoption In The United States? – https://pciguru.wordpress.com/2012/02/05/why-the-push-for-emv-adoption-in-the-united-states/
Pre-Authorization Data
- Pre-Authorization Data – https://pciguru.wordpress.com/2009/09/08/pre-authorization-data/
- Pre-Authorization Data – The Definitive Answer – https://pciguru.wordpress.com/2012/08/01/pre-authorization-data-the-definitive-answer/
- Pre-Authorization Data – The Card Brands Weigh In – https://pciguru.wordpress.com/2012/10/29/pre-authorization-data-the-card-brands-weigh-in/
Mobile Payments
- Mobile Computing and PCI – https://pciguru.wordpress.com/2010/01/16/mobile-computing-and-pci/
- Extremely Mobile Payment Processing – https://pciguru.wordpress.com/2010/02/10/extremely-mobile-payment-processing/
- PCI SSC Nixes PA-DSS Certification For Mobile Payments Applications – For Now – https://pciguru.wordpress.com/2010/12/16/pci-ssc-nixes-pa-dss-certification-for-mobile-payments-applications-for-now/
- More On Mobile Payments – https://pciguru.wordpress.com/2011/02/12/more-on-mobile-payments/
- Mobile Payment Application PA-DSS Certification Clarification Announcement – https://pciguru.wordpress.com/2011/06/28/mobile-payment-application-pa-dss-certification-clarification-announcement/
- Google Wallet – https://pciguru.wordpress.com/2011/12/22/google-wallet/
- When Will The PCI SSC And Card Brands Stop The Mobile Payment Insanity – https://pciguru.wordpress.com/2012/03/17/when-will-the-pci-ssc-and-card-brands-stop-the-mobile-payment-insanity/
- Mobile Payments Update – https://pciguru.wordpress.com/2013/08/30/mobile-payments-update/
Point To Point Encryption (P2PE)
- Is “End-To-End Encryption” Realistic – Part 1 – https://pciguru.wordpress.com/2009/05/10/is-%E2%80%9Cend-to-end-encryption%E2%80%9D-realistic-part-1/
- Is “End-To-End Encryption” Realistic – Part 2 – https://pciguru.wordpress.com/2009/05/16/is-%E2%80%9Cend-to-end-encryption%E2%80%9D-realistic-part-2/
- Is “End-To-End Encryption” Realistic – Part 3 – https://pciguru.wordpress.com/2009/05/17/is-%E2%80%9Cend-to-end-encryption%E2%80%9D-realistic-part-3/
- End-To-End Encryption – The Rest Of The Story – https://pciguru.wordpress.com/2011/07/24/end-to-end-encryption-%E2%80%93-the-rest-of-the-story/
- P2PE Revisited – https://pciguru.wordpress.com/2013/11/02/p2pe-revisited/
- P2PE Versus E2EE – https://pciguru.wordpress.com/2014/08/24/p2pe-versus-e2ee/
Scoping Of The Cardholder Data Environment (CDE)
- In Scope Versus Out Of Scope – https://pciguru.wordpress.com/2009/03/09/in-scope-versus-out-of-scope/
- In Scope – Example I – https://pciguru.wordpress.com/2009/06/20/in-scope-%E2%80%93-example-i/
- Is My Call Center In Scope? – https://pciguru.wordpress.com/2009/07/20/is-my-call-center-in-scope/
- What Is “In Scope?” – https://pciguru.wordpress.com/2011/12/04/what-is-in-scope/
- PCI SSC Issues Clarification On Encrypted Data Being In Scope – https://pciguru.wordpress.com/2009/10/31/pci-ssc-issues-clarification-on-encrypted-data-being-in-scope/
- How Email Ends Up In Scope And What To Do About It – https://pciguru.wordpress.com/2010/01/02/how-email-ends-up-in-scope-and-what-to-do-about-it/
- Scoping Clarification – https://pciguru.wordpress.com/2013/02/21/scoping-clarification/
- Encrypted Cardholder Data – Out Of Scope? – https://pciguru.wordpress.com/2013/03/07/encrypted-cardholder-data-out-of-scope/
- PCI Scoping Tool – https://pciguru.wordpress.com/2013/05/26/pci-scoping-tool/
PCI Guru 
Hi PCIGuru,
Thanks for all your advise and keep us updates from this site. The company has had an increase in mergers and acquisitions over the last two year and there is a need to consolidate the multiple payment processors and work with a single payment gateway. We hope to receive savings from this consolidated effort. However, what area of concern should I watching for as we consolidate? The goal is to modify the applications to re-direct the customer and use the payment processors customized payment page. As we begin to consolidate to use one payment gateway, does the transaction count come from the number used for each merchant ID or total number of transaction for all merchant ids that include the parent + subsidiaries?
Thanks,
JaMiller
Back in the “good old days” of PCI, the banks and processors had no idea of total transaction volumes for a given entity that had been created by M&A activities and multiples of MIDs. However, that all changed probably around six to eight years ago and that is no longer the case. All the players know close to every entity’s total transactions volumes regardless of number of MIDs.
The key thing to watch for though is ensuring that every business unit properly implements the re-direct. I have encountered too many organizations where they claim it was done consistently only to find some BUs that used JavaScript or something other than a re-direct.
A client has merchant portal which is accessed by merchants to view transactions but there is no card data related detail viewed through that portal, though the transaction details are extracted from Payment gateway database. Merchant use merchant id, username and password to login the portal. Does 2FA apply to this portal or it can be excluded from 2FA requirement of remote access?
Requirement 8.3.2 states, “Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.” The scenario you present would be considered remote access so MFA is required.
Hello Guru, thanks for your responses and guidance. Please advise that if we have one enterprise firewall that is facilitating both PCI and non-PCI zones then for firewall ruleset review requirement do we require to only review the rules related to PCI zone or all the rulesets are required to be reviewed?
All the rule sets will need to be reviewed to ensure that the non-PCI rules do not create segmentation issues with your PCI zone. That will be further confirmed by your penetration test.
Hi Guru,
I am looking on log management configuration to meet PCI DSS requirmnet on QRadar
We have QRadar device for log management and we to couple of PCI DSS device for this we need set rules in line with PCI DSS , So could you please advice us which are rules need set in QRadar to monitor.
If you have any documente share us
If I shared every little tidbit of my knowledge, I would have nothing with which to make a living as an information security consultant. So while I do have such information, I only share it with my clients through consulting engagements when I am paid to share it.
Have you ever thought about publishing an ebook or guest authoring on other blogs? I have a blog centered on the same subjects you discuss and would really like to have you share some stories/information. I know my audience would enjoy your work. If you are even remotely interested, feel free to shoot me an e-mail.