By PCIGuru

For those of you looking for my posts grouped into a series based on topic, here is your page.

Network Segmentation Series

Multi-Protocol Labeled Switching (MPLS) Series

Cloud Series

Encryption Series

Europay/MasterCard/Visa (EMV)

Pre-Authorization Data

Mobile Payments

Point To Point Encryption (P2PE)

Scoping Of The Cardholder Data Environment (CDE)

7 Responses to “Post Series References”

  1. 1 Masood
    September 26, 2018 at 1:21 AM

    A client has merchant portal which is accessed by merchants to view transactions but there is no card data related detail viewed through that portal, though the transaction details are extracted from Payment gateway database. Merchant use merchant id, username and password to login the portal. Does 2FA apply to this portal or it can be excluded from 2FA requirement of remote access?

    • September 26, 2018 at 8:03 AM

      Requirement 8.3.2 states, “Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.” The scenario you present would be considered remote access so MFA is required.

  2. 3 Masood
    July 16, 2018 at 7:05 AM

    Hello Guru, thanks for your responses and guidance. Please advise that if we have one enterprise firewall that is facilitating both PCI and non-PCI zones then for firewall ruleset review requirement do we require to only review the rules related to PCI zone or all the rulesets are required to be reviewed?

    • July 16, 2018 at 5:39 PM

      All the rule sets will need to be reviewed to ensure that the non-PCI rules do not create segmentation issues with your PCI zone. That will be further confirmed by your penetration test.

  3. 5 shiva
    September 16, 2015 at 7:52 AM

    Hi Guru,

    I am looking on log management configuration to meet PCI DSS requirmnet on QRadar

    We have QRadar device for log management and we to couple of PCI DSS device for this we need set rules in line with PCI DSS , So could you please advice us which are rules need set in QRadar to monitor.

    If you have any documente share us

    • September 19, 2015 at 6:30 AM

      If I shared every little tidbit of my knowledge, I would have nothing with which to make a living as an information security consultant. So while I do have such information, I only share it with my clients through consulting engagements when I am paid to share it.

  4. September 24, 2013 at 3:58 AM

    Have you ever thought about publishing an ebook or guest authoring on other blogs? I have a blog centered on the same subjects you discuss and would really like to have you share some stories/information. I know my audience would enjoy your work. If you are even remotely interested, feel free to shoot me an e-mail.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


September 2020

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 2,289 other followers

%d bloggers like this: