Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

11/12/2010
04:07 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Fortrex Technologies Backs PCI DSS And PA-DSS 2.0 Compliance

Standards offer improved alignment, clarifications, and guidance

FREDERICK, Md., Nov. 12, 2010 /PRNewswire/ -- Fortrex Technologies, Inc., a market leader in IT Security, Operational Risk, and Compliance and Payment Card Industry (PCI) Security Standards Council (SSC) Qualified Security Assessor (QSA), Payment Application Qualified Security Assessor (PA-QSA) and Approved Scanning Vendor (ASV [3705-01-05]) is pleased to announce its support of the PCI SSC's October 28, 2010 released PCI Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) versions 2.0.

"Having assisted our clients payment card security compliance since 2002, we have witnessed the evolution and maturity of the standards as they grow to address a changing threat landscape. The new release is timely and pertinent," states Senior Vice President Client Services Chris Konrad.

"Following review of the new standards, it is my belief that many of our clients will be pleased with their greater clarity and increased flexibility," states Director of Client Services Joshua Lyons.

The new PCI DSS and PA-DSS standards offer improved alignment, clarifications, and guidance. While Fortrex advises merchants and service providers to carefully review Council published Summary of Changes documentation and to review the standards with their selected assessor in advance of assessment, the following PCI DSS changes are perceived as of particularly important consideration:

-- Scope of Assessment for Compliance with PCI DSS Requirements - All locations and flows of cardholder data are in scope of assessment -- Requirement 2.2.1 - Virtualization technologies are permitted with the restriction that one primary function per virtual system component be enforced -- Requirement 3.2 - Issuers are identified as allowed to store sensitive authentication data given business justification and secure storage -- Requirement 3.6.4 - Key management procedures may include periodic key changes based on industry best practice aligned cryptoperiods -- Requirement 6.5 - Version 1.2.1 requirement 6.3.1 has been consolidated into requirement 6.5 in the new release with current guidance from SANS CWE To 25, CERT Secure Coding, and the OWASP Guide provided as reference sources for industry best practice vulnerability management

For payment application vendors, the following PA-DSS changes should similarly be reviewed:

-- Scope of PA-DSS - The PA-DSS is clarified as being non-applicable to payment applications developed for and sold to a single customer for the sole use of that customer -- PCI DSS references have been removed with PCI DSS testing procedures incorporated as sub-requirements -- Requirement 4.4 - New requirement necessitating payment application facilitation of centralized logging -- Requirement 5.2.6 - New requirement addressing high-risk vulnerabilities identified in requirement 7.1 -- Requirements 10 and 11 have merged

For further information and reference, Fortrex has published its recent webinar, "PCI 2.0 Now What ??".

Version 2.0 becomes effective January 1, 2011 with previous 1.2.1 versions of the standard permitted until December 31, 2011. Further information is available via the Council's web site: www.pcisecuritystandards.org

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.