Quick Cookie Notification

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.

View Cookie Policy for full details

Rapid7 Blog

Didier Godart  



PCI 30-second newsletter #38 - The Holy Grail vs ROC-Fission: The only way to reach compliance

A big thanks to Andy Barratt - Managing Director, Europe and QSA, Coalfire for his contribution to this newsletter. “Any darn fool can make something complex; it takes a genius to make something simple.”― Peter SeegerIf you are the glorious knight responsible for…

PCI 30 Seconds newsletter #37 - And PCI said "Get Pen-Tested"!

This newsletter clarifies what is expected to comply with PCI DSS 11.3: Penetration testing. Why is Pen-test needed? In the same way that wellness checks support a doctor's diagnosis by determining what's wrong or not working as expected (a.k.a. an analysis) and…

PCI 30 seconds newsletter #36 - Control your privileged accounts - How to contain the "Keys to the kingdom" problem

What's a Privileged account? The term "Privileged account", also known as "High Privileged account" or "Super user" refers to any type of account that holds special or extra permissions within the enterprise systems. They are generally categorized as: IT…

PCI 30 seconds newsletter #35 - Patch management, how to comply with PCI.

In the newsletter #15 I addressed the problem of flaws in our working environments. As a follow up I'm covering here the topic of patch management and its applicability within the context of PCI, a domain of 49,5% compliance rate as per the Verizon…

PCI 30 seconds newsletters published so far.

This is the list of PCI 30 seconds newsletters published so far. If you like them, please tell us, share them, follow me on twitter or linkedin to not miss the next ones. Suggest some topics you would like to see addressed. If you don't…

PCI 30 seconds newsletter #34 - PCI DSS Version 3 Changes and Impact - Should You Care?

I'm here again with a song in mind: Why should I care?You have probably noticed that PCI DSS Version 3 is available! It is applicable on a voluntary basis until Jan 2015, when it becomes mandatory. But, should you care? Should you prepare yourselves?…

PCI 30 seconds newsletter #33 - Key take-away from the PCI Community meeting 2013

I have been attending the PCI Community meetings since the early days. I remember each one of them. Not really the content, but about the people representing PCIco, the brands, organizations subjected to compliance, and the security communities (QSA's, ASV's, PFI's, solution providers). They are…

PCI 30 seconds newsletter #32 - Money for nothing

Starting this newsletter with two famous songs in mind: "Money" by Pink Floyd and "Money for nothing" by Dire Straits. If I ask you to give me the most common PCI keywords that come to mind, you will most probably answer:…

PCI 30 Seconds Newsletter #31 - PCI DSS Crypto-framework

Strong Cryptography is referred to by PCI DSS through the following requirements:2.3 - Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web- based management and other non- console administrative access.4.1 -…

PCI 30 seconds newsletter #30 - Trainings your organization must deliver to comply with PCI DSS

PCI-DSS requires organizations subjected to compliance to deliver three specific trainings, namely: Security Awareness, Secure Coding and Incident response. This newsletter describes what you should know about them in terms of What, Who and How. Security Awareness Associated PCI DSS requirement: 12.6 Audience: Any…

PCI 30 seconds newsletter #29 - Do all PCI DSS requirements apply?

I recently assisted a medium size organization to align with PCI. The gap analysis and design phase raised a number of concerns from their side. All of the concerns started as something similar to: "Why do we need this? It induces more risks".Implementing protection…

PCI 30 Seconds newsletter #28 - The PCI Library - What docs are required for compliance?

Compliance programs are heavily based on documentation and PCI does not make an exception. Technical and non-technical documents are a major part of the PCI journey and certainly of the compliance audit. Documents (technical description, diagram, policies, procedures, standards, audit trails, scan reports, pen test…

PCI 30 seconds Newsletter #27 - Should I disable my protection system for ASV scans?

In the context of intrusion detection and prevention, PCI DSS requires implementation/configuration of Firewalls (Req 1), Anti-virus (Req 5) and Intrusion detection systems (IDS) (Req 11.4). Optionally, organizations are invited to consider the use of Intrusion Prevention Systems (IPS) in place or in…

PCI 30 seconds newsletter #26 - PCIP is it worth it?

At the last PCI Community meeting the Council introduced a new certification (yes one more!). After, ASV, QSA, P2PE QSA, ISA, PFI, QIR, there it is: The PCIP (Payment Card Industry Professionals) certification.Why?Firstly, to answer a valid concern from the QSA and ISA…

PCI 30 seconds newsletter #25 - A New Standard is Born.

PCI SSC is putting the finalizing touches to two new standards (Physical and Logical Security Requirements) for card manufacturers and card personalization centers.After having co-authored the first version of the PCI DSS and having designed and led the ASV certification program on behalf of…

Featured Research

National Exposure Index 2018

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More


Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Featured Research

Quarterly Threat Report

Rapid7’s Quarterly Threat Report leverages intelligence from our extensive network—including the Insight platform, managed detection and response engagements, Project Sonar, Heisenberg Cloud, and the Metasploit community—to put today’s shifting threat landscape into perspective. It gives you a clear picture of the threats that you face within your unique industry, and how those threats change throughout the year.

Learn More