Blog

Blog

Getting Creative with your Vulnerability Management Strategy

You don’t have to look hard to find organizations utilizing a small fraction of the capabilities of a vulnerability management tool. Often, that’s because the focus is on meeting a compliance obligation. For example, PCI DSS 3.2.1 says, “11.2.1 – Perform quarterly internal vulnerability scans.” It’s difficult to learn the capabilities of a tool...
Blog

Is Your Vulnerability Management Program Efficient and Successful?

Be organized and efficient. It’s a simple rule of life that makes things run a whole lot smoother. This is something especially important when running your vulnerability management program. There are only so many hours in a day, rather, there are only so many hours in a down cycle where the business will let you scan their environment for...
Blog

What is Vulnerability Management Anyway?

Vulnerability management (VM) programs are the meat and potatoes of every comprehensive information security program. They are not optional anymore. In fact, many information security compliance, audit and risk management frameworks require organizations to maintain a vulnerability management program. If you don’t have vulnerability management tools...
Blog

How the CIS Controls Can Help You Achieve PCI DSS 3.2 Compliance

Compliance with version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS) is a must for organizations that handle, process, transmit and store payment card data. But compliance isn’t always easy to establish or maintain. Indeed, there are certain challenges along the way that can make organizations’ compliance with PCI DSS 3.2...
Blog

PCI DSS Version 3.2.1 Published by PCI Security Standards Council

The Payment Card Industry Security Standards Council (PCI SSC) published a minor revision to version 3.2 of its Data Security Standard (PCI DSS). On 17 May, PCI SSC published PCI DSS version 3.2.1. The purpose of the update was to clarify organizations' use of the Standard and when they would need to upgrade their use of common cryptographic...
Blog

3 Key Challenges To Being PCI 3.2 Compliant and How To Resolve Them

The latest revision to PCI DSS, PCI 3.2, provides specific security guidance on the handling, processing, transmitting and storing of credit card data. PCI 3.2 presents an opportunity for retail, healthcare, finance and hospitality organizations to minimize the theft, exposure and leakage of their customer’s personal and financial credit information...
Blog

Putting PCI-DSS in Perspective

Much attention and excitement within the security world has recently been focused on the lucrative surge in crypto-mining malware and hacks involving or targeting cryptocurrency implementations themselves. Yet the volume of ‘real world’ transactions for tangible goods and services currently paid for with cryptocurrency is still relatively niche in...
Blog

A Guide to PCI DSS Merchant Levels and Penetration Testing

To distinguish the size of merchant companies and appropriately determine the level of testing required, the founding credit card companies created four different brackets ranging from Tier 1 to 4. Each tier is based on the number of transactions processed per year by the merchant and also dictates the testing a merchant must undertake. While...
Blog

Are You PCI Curious? A Short History and Beginner’s Guide

When I was a kid and we would go out to dinner, my dad would often pay using a credit card. The server would come over with an awkward, clunky device, put the credit card in it, and scan the card. By scan, I mean make an impression of the numbers on a piece of paper with a carbon receipt, which he would then sign and each party would get a copy. There were no wires, no electronic transmissions of...
Blog

Integrity: The New "I" in PCI Compliance

The retail industry saw more than its fair share of data breaches in 2017, with security incidents impacting at American supermarket chain Whole Foods Market and clothing companies Brooks Brothers, The Buckle, and Forever 21, to name a few. At least some of those events likely resulted from retailers' poor data breach preparation. Consider the fact...
Blog

What Is Vulnerability Management?

Enterprise networks regularly see change in their devices, software installations and file content. These modifications can create risk for the organization. Fortunately, companies can mitigate this risk by implementing foundational security controls. For example, enterprises can monitor their important files for change using file integrity...
Blog

5 Things You Should Know about PCI DSS Penetration Testing

The Payment Card Industry Data Security Standard (PCI DSS) was introduced to provide a minimum degree of security when it comes to handling customer card information. While the Standard has been around for over a decade, penetration testing has only recently been officially incorporated into the process. There’s a lot to cover in a PCI DSS...
Blog

Half of Organizations Fail to Maintain PCI Compliance, Finds New Report

Nearly half of organizations that store, process or transmit card data are still failing to maintain PCI DSS compliance from year to year, reveal new statistics. According to the 2017 Verizon Payment Security Report, the number of enterprises becoming fully compliant is on an upward trend—growing almost five-fold since 2012. Last year, 55.4 percent...
Blog

Breaking Out of the Checkbox with PCI 3.2 Compliance

Since 2004, merchant companies that handle branded credit cards have worked to maintain compliance with the Payment Card Industry Data Security Standards (PCI DSS). These regulations, which consist of six fundamental control objectives and 12 core requirements, aim to protect payment card data for customers. They also help card issuers and banks...
Blog

3 Questions to Gauge the Resiliency of Your Vulnerability Management Solution

Looking at the cyberthreat landscape, millions of new devices come online every day. But there’s a shortage of qualified cybersecurity workers to protect those devices once they come online. Additionally, in almost every case, it takes minutes or less to compromise them. Simply running more vulnerability scans to collect more data and generating...
Blog

Why Continuous Scans Are Important to Vulnerability Management

To protect against evolving digital threats, more and more organizations are employing endpoint detection and response (EDR) systems on their computer networks. EDR consists of six crucial security controls. The first two, endpoint discovery and software discovery, facilitate the process of inventorying each device that is connected to the network...
Blog

PCI 3.2 and The Regulation Storm

There is never a dull moment for compliance and security. Case in point, amidst a brewing storm of regulation, version 3.2 of the Payment Card Industry Data Security Standards (PCI DSS) announced in late spring articulates good data security intent along with controversy. PCI has been around since 2006, and aims to protect payment data for consumers...
Blog

Delaying PCI 3.1: Time to Dance the Compliance and Security Waltz

The recent announcement from the Payment Card Industry Security Standards Council (PCI SSC) that it will be moving the PCI 3.1 deadline to June 2018 – giving an extra 24 months – caught my attention and reminded me of the ongoing dance between compliance and security. From a compliance and operational standpoint, the new deadline gives organizations...
Blog

Are Financial Services IT Pros Overconfident in Data Breach Detection Skills?

Tripwire studied confidence vs. knowledge of financial services IT security pros on seven key security controls necessary to detect a data breach. For many controls IT pros believed they had the information necessary to detect a breach quickly but provided contradictory information about the specific data. ...