Replied in thread
Recent searches
Search options
#pcidss
0 posts0 participants0 posts today
Brandt 
#Paypal is changing its privacy policy. If you have an account, here's what you need to do:
Log in (you *are* using TOTP multifactor authentication, right?)Click the Gear icon in the upper right corner.Click "Data & Privacy"
Follow the link under that category to "Personalized Shopping"Click the slider switch to disable data sharing with advertisers and retailers based on your purchase history.
Has anyone working with #msTeams and #PCIDSS managed to convince a credit card company that the public key encryption used to secure #teamsVoice calls is suitable to exempt a corporate network from being in-scope when taking CHD over a telephone call?
PCI Security Standards Council · Frequently Asked Question
But it was all encrypted at rest, right? RIGHT?!?
(Insert Phantom Menace meme)
The Register · 1.7M potentially pwned after payment services provider takes a year to notice break-in
Replied in thread
@zackwhittaker That's (almost certainly) a #pcidss breach! Stop them taking card payments and see how long they last as a company! This should be a stick that gets companies' priorities in order. Does this ever actually happen if you fail a PCI audit?
Complying with PCI DSS requirements by 2025 https://www.helpnetsecurity.com/2024/09/02/pci-dss-requirements/ #Expertanalysis #cybersecurity #Expertcorner #Integrity360 #compliance #Don'tmiss #Hotstuff #opinion #PCIDSS #News
Help Net Security · Complying with PCI DSS requirements by 2025 - Help Net SecurityThe new requirements under PCI DSS 4.0.1 will vary in terms of their demands and complexity from entity to entity.
Replied in thread
@GrapheneOS +9001%
The sheer amount of liabilities if not legal through #GDPR & #BDSG, but indirectly through.mandated #standards like #PCIDSS & #PSD2 are the reason one should avoid storing them at all costs!
Replied in thread
@Zugschlus @Cappyjax @WB2EEE @elly well, I'd rather not take or stay in a job than commit what I call "Professional #Malpractice"!
- I know this makes me an outlier, but the fact that I did my job so well that everything I deployed runs like clockwork to this day amd that I'm not short of offers tells me that being a honest #sysadmin is the way to go morally instead of being a #bootlicker!
Again: We have this entire shitshow because we allow #TechIlliterates and other dipshits to make up regulations on the spot.
- Also yes, there are means to harden #Linux on Sesktops amd Servers beyond the already existing #CommonCriteria and #CIS2 as well as beyond #PCIDSS compliance and good Distros will even offer a warranty and assurance for that directly - something #Microsoft just won't do for #Windows no matter the amount of money one shoves down their throat!
The fact that we even allow that #Govware and #Scareware [to even exist, espechally] in #CriticalInfrastructure when in both cases their #EULA explicitly bans that use-case is a testiment for the false priorities of regulators and their rules.
- So yeah, if a concrete-headed #TechIlliterate wants that they can have it - but not from or with me!
And then they all whine about why noone wants to work for them... What a shitshow.
Tell you what, I'd rather welcome such meetings, because the last time some CEO did that (with an absurd office mandate forcing a colleague into a 500km [one-way!] commute twice a week) they basically mobbed out the two best colleagues I had and subsequently imploded the Linux Infrastructure team.
- Last time I checked that company hadn't filled the vacancies and once Recruiters hear the story, they tend to fire said company as a client.
Zug.NetworkMarc Haber (@Zugschlus@zug.network)@kkarhan@infosec.space @Cappyjax@mastodon.social @WB2EEE@mastodon.radio @elly@donotsta.re If your company's policy tells you to install that stuff, then you install that stuff or are out of a job. In sad reality, auditors expect some kind of "endpoint protection" to give you the compliance certificate that the company needs, , and most companies decide to buy that instead of implementing it youself.
And it is also in your "best" interest to accept that as a system administrator. If the bought software fscks up, people shrug it away and continue (including continuing to use said software). If your home-built solution fscks up, you're at least in for some very uncomfortable appointments in your own C-suite, if not immediately out of a job.
That's sad reality, and I regret writing that. But.
Replied in thread
@MichalBryxi yeah...
As much as I'm still angry at #Microsoft, #Apple and #Mozilla for blocking #CACert to this day, @letsencrypt is a net positive.
- Tho I've had to deal with more "serious business" where that wouldn't cut it. #PCIDSS demands #EV-#SSL for #PaymentProcessors and that is a process in that they actually do #KYC a company and #ID #CEO & #CFO (cuz I was in charge of updating said cert and had to wait for that to complete)...
And for the upper triple digits that cert costs per year, the process went quite fast and it took like 5 mins tops.
- Almost as if #LetsEncrypt killed the "low end" market...
@lightspill Personally, I think that depends...
Certain things are matters of taste (i.e. #vi, #vim, #neovim, #nano, #ne or #kilo as #editors) and certain things are just objectively correct things to do (i.e. #PGP/MIME encryption on #eMail, using #MutiVendor & #MultiProvider #OpenStandads instead of #proprietary #SingleVendor & #SingleProvider "solutions"...)
- But as @tantacrul once said: "It's okay to be wrong!"
As a #Linux & #Unix-esque #Sysadmin I'd rather be disliked as #BenevolentDictator than to deliver or even maintain subpar, substandard, insecure and unmaintainable solutions, because like an #electrician, people / businesses or rather clients / employers expect me to plan and deliver solutions that are 'up to code' and by 'code' I mean the relevant laws and standards ranging from #GDPR & #BDSG to #PCIDSS & #BSI...
- EVERYTHING ELSE is secondary!
Replied in thread
@ryebread8403 @michael it's not a matter of flavour, but an #InconvenientTruth that #Windows and #windowsServer are #InsecureInEveryConfiguration, can't comply with #GDPR, #BDSG & #PCIDSS and thus are a "can't use and won't use" for me since I live in a juristiction where actual #privacy and #DataProtection laws exist and no insurance would cover the costs if that were to explode in my face even if doing so wasn't a literal felony ["endorsing or rewarding of a felony"] itself.
- I hope this clarifies the #facts that in fact I'm not some "Microsoft Hater", but instead just someone making ends meet doing IT and keeping both employers' / clients' asses as well as myself out of jail!
Replied in thread
@Natanox @marc @cmalloc @kontrollierterWahnwitz
Ja und unter #TechIlliterates die sich einmischen arbeite ich ungernst...
- Wobei ich quasi immer herangezogen wurde um Dinge abzusichern und daher als "#BenevolentDictaotr" Mit Rückendeckung agiere weil die Entscheidungen i.d.R. nicht verhandelbar sind [bspw. #DSGVO, #BDSG & #PCIDSS-Compliance] und damit einhergehend Verbote für gewisse "Lösungen" [bspw. #Windows, insbesondere #Windows10 & #Windows11 ] sich zwangsweise ergeben, wenn der Hersteller bzw. Maintainer unwillens und/oder unfähig ist die Compliance für deren Produkt unter Androhung von Regressforderungen bei Falschinformation zu beweisen!
Etwas was z.B. #RedHat, #SUSE & #Canonical ( #UbuntuLTS / #UbuntuPro ) nicht nur anbieten sondern auch evidenziert liefern...
Replied in thread
@DeltaWye TBH, using a #VPN.is a cheap and old #Ghettohack that had it's right to exist before #CAcert, #LetsEncrypt and at a time where #EV-#SSL certs we 4-5 digits before taxes but there are reasons this isn't compliant to #PCIDSS anymore...
Why don't we have the same protections for bank account information that we have for credit card numbers? Given that the majority of transactions are with credit cards, there are still many companies store bank accounts for wire transfer.
PCIDSS says little about bank accounts, and nothing about encryption at rest. True, it is Visa's baby, and they, well, they don't have checking accounts so meh I guess?
Fact is for a lot of the middle class, the bank account is the crown jewel. We are economically a level of abstraction further from actual money (Like M1 money) with credit cards than we are with bank accounts. The credit cards are just based on promises. The bank account has real moolah.
Anyway - Thursday "waiting for Veracode to load" research for me please - y'all find any compliance body that recommends secure handling of bank accounts, not just payment cards?
@penguingeek @hermann @tychotithonus depends...
You may use a tiny airgapped linux machine which can act as a USB gadget to type in passwords like a Keyboard instead...
Needless to say writing down passwords in plaintext without any granual access control (i.e. physical safe) is a violation of @bsi "IT Basic Security Standard" as well as #PCIDSS, #GDPR & #BDSG to the point that it would be a felony.
Having a dedicaded encrypted password / file storage to handle sensitive data like logins and certificates is key...
@neurovagrant personally, I do intent to literally blocklist anything and only allowlist what's needed for any serious network.
- At least that's how one can comply with #PCIDSS, #GDPR & #BDSG by literally being able to name every single connection to the "spicy parts" of the IT...
Granted, the systems I administrate can't even run #AnyDesk and only allow #Pubkey-based #SSH authentification and log all inputs in realtime, literally sending alerts for any sudo command [root is unavailable for security reasons] to the CISO...
Replied in thread
@Em0nM4stodon it is basically illegal in #Germany because not only would it require one to have written #consent by everyone who's featured or who's data is being processed but also one cannot comply effectively with "requests for correction or deletion.of data" so it's inherently unable to comply with #GDPR & #BDSG.
- And don't even get me started that in financial (#PCIDSS) and medical (German dataprotection exceeds #HIPAA by a few moon orbits!) data this is essentially a no-go.
I sincerely hope @bsi and other regulators will #ban #Recall sooner than later even i they do not have tge balls to ban #Wondows11 or #Windows in general...
Replied in thread
@KimPerales not only that but this basically disqualifies #Windows11 in any setting where even remotely #Privacy or #DataSeciroty is mentioned.
Like #PCIDSS...
Dont'e even get me started on the impossibility to make #MicrosoftRecall / #WibdowsRecall even just ob paper remotely complybwith #GDPR &;#BSDG!
@theruran EXACTLY!
REMEMBER: #AllGafamsAreBad & #AllGafamsAreEvil!
Thus #MicrosoftRecall should be reason alon to ban #Windows11 as this feature can't comply with #GDPR as a matter of principle.
- Not to mention it violates #PCIDSS and other standards!