Compliance and Network Security

[leaferikson]

Noticed a post in the FFL area about a vendor working on PCI compliance for taking credit cards. I wanted to offer free consultation to any small FFL if they run in to issues or have concerns regarding PCI compliance or security. I've been in this field for 10 years, and I'd love to help anyone that needs it.

[Guntrader]

Generous offer.
PCI compliance is a whole new can of worms for a lot of people.
I've had prospective clients bitching about why they couldn't download malware screensavers, store credit card numbers in plain text, and couldn't keep the same password they used for the past 8 years.

[leaferikson]

Generous offer.
PCI compliance is a whole new can of worms for a lot of people.
I've had prospective clients bitching about why they couldn't download malware screensavers, store credit card numbers in plain text, and couldn't keep the same password they used for the past 8 years.

My first day at a really well known company, IT told us "just use a pets name and add the number one on the end, then when you have to update, you just make it two"

[Guntrader]

I have seen the 'increment by one' scheme, may have even been in literature from PCI.

My ex was a pension analyst for the Teamsters Trust.
They had to change passwords every two weeks, couldn't contain more than 7 characters from the last password, upper, lower, number, extended characters, etc.
So they just taped them to their monitors or desk.

Weakest link in infosec is always people.

[leaferikson]

I have seen the 'increment by one' scheme, may have even been in literature from PCI.

My ex was a pension analyst for the Teamsters Trust.
They had to change passwords every two weeks, couldn't contain more than 7 characters from the last password, upper, lower, number, extended characters, etc.
So they just taped them to their monitors or desk.

Weakest link in infosec is always people.

For sure, sometimes people forget the balance between productivity and security. Too Secure = No business

[3584ELK]

Very generous of you- for my business, I am going to run the SAQ again and see if I am compliant. Last time I was only one or two questions shy of the green light.

PCI compliance is far beyond password security in complexity, scope, and depth.

It has been an experience...

[lunacite]

It sucks having to make any services I offer ITAR compliant.

[Col_Temp]

Are you looking or interested in working with other companies on this compliance?
I know its a pain and some of my clients have been messing with it off and on. When it comes up again you have any desire to assist (for pay of course).

[Massivedesign]

Are you looking or interested in working with other companies on this compliance?
I know its a pain and some of my clients have been messing with it off and on. When it comes up again you have any desire to assist (for pay of course).

Paris... This was a 3 year old thread man...

[Col_Temp]

Are you looking or interested in working with other companies on this compliance?
I know its a pain and some of my clients have been messing with it off and on. When it comes up again you have any desire to assist (for pay of course).

Paris... This was a 3 year old thread man...

Yeah but I'm pretty sure he is still around....
I'll message him and see.