Background Image

In Flight

Updates, Guidance, and Stories from the Urbane team.

To Infinity, (Above) and Beyond!

The Payment Card Industry Data Security Standard (PCI DSS) is no longer a fledgling framework. The thought and process that has gone into the revisions to mature the PCI DSS has created a prescriptive list of controls that any organization would do well to follow. However, even the PCI Security Standards Council steadfastly maintains that the PCI DSS is only a baseline of controls. So let’s go through a thought exercise about additional controls that are not in the PCI DSS but could be used improve the security of your environment.

Continue Reading "To Infinity, (Above) and Beyond!" (a 3 minute read) >


Are You Ready for the New PCI DSS Requirements in 2018?

Were you the kid who came straight home from school and started the new project on the day it was assigned? Or were you the type who would calculate in your head exactly how much you could procrastinate before starting? Playing that new video game or riding bikes outside with your friends always seemed like more fun than a new compliance requirement, er, homework.

The PCI Security Standards Council released the newest version of the PCI DSS in April 2016. It contained quite a few minor changes and updates as well as nine brand new requirements. After pushing the SSL/TLS migration deadlines back due to industry pressure and tight implementation deadlines, they prudently provided almost two years of lead time for the enforcement of these new controls. The grace period is almost over. All new requirements introduced in the PCI DSS v3.2 are a best practice currently and will go into effect as of February 1, 2018.

Continue Reading "Are You Ready for the New PCI DSS Requirements in 2018?" (an 8 minute read) >


Recent Guidance from the PCI Council

One would think that the publication of the next version of the PCI DSS (April 2016) as well as the sunset date of the previous version (in October 2016) would constitute a pretty full year for PCI. However, the end of 2016 and beginning of 2017 saw a flurry of activity from the PCI Security Standards Council (PCI SSC), specifically around their Guidance Documents.

The following Information Supplements were published in the last year:

  • Assessment Guidance for Non-Listed Encryption Solutions (November 2016)
  • Guidance for PCI DSS Scoping and Network Segmentation (December 2016 & May 2017)
  • Multi-Factor Authentication (February 2017)
  • Best Practices for Securing E-commerce (April 2017)

While there is too much detail in each document to cover everything here, I’ve tried to summarize the information provided by each document and add any commentary that may help you understand the details in each supplement.

Continue Reading "Recent Guidance from the PCI Council" (a 14 minute read) >


Evolving NIST Password Guidance and PCI

Passwords are difficult. They have to be a certain length, use certain characters, change at certain intervals, and worst of all they have to be memorable. But the NIST Trusted Identities Group thinks that should change.

The new draft version of NIST’s Digital Identity Guidelines (SP 800-63-3) is in the process of being finalized. The sub-publication on Authentication & Lifecycle Management (800-63b) contains some interesting changes to password composition and management. The document uses the term “memorized secrets” to refer to passwords and PINs. Also, as this is still a DRAFT version, it is advisable to wait for the final publication to refer to before changing security policies.

Continue Reading "Evolving NIST Password Guidance and PCI" (a 3 minute read) >