Month: May 2015

MPSB is re-certified as PCI v3.0!

logo_mpsb

Congratulations to ManagePay Services Sdn Bhd for re-certifying under PCI v3.0. They are the first among our clients who achieve V3.0!

PCI v3.0 maintained the 12 main requirements from PCIv2. PCI DSS v3.0 is effective January 1st 2014, but organisations are given the choice to comply to either v2 or v3 in 2014. All certifications in 2015 (MPSB included) is certified under v3.0. Under v3.0 however, major changes include:

a) Testing of segmentation adequacy through penetration testing

This determines whether segmentation had been done properly. We have seen many implementation where ‘segmentation’ was supposedly implemented, but we found that route between network had unfiltered access between zones. This will ensure whether CDE is properly isolated from non-scoped access.

b) Validation of 3rd party providers

PCI-DSS compliance must be validated if card holder data is being shared out to 3rd party providers. This is either through their own AOC (like AWS), or an agreement to participate in the customer’s PCI program.

c) Business as Usual

By far, this is the most challenging to us. Most of organisations undergoing PCI-DSS struggle in the second and third year re-certification as they need to demonstrate compliance in everyday activities and not just during audit period.

d) Protection of POS

Most of the issues of recent times like Target are due to POS Malware exploitation.V3.0 requires companies to maintain inventory and maintaining POS from being tampered with as well as periodic training.

Of course, v3.0 covers a lot more than these. For a more detailed look at PCIv3.1 and how it affects your organisation, you can contact avantedge@pkfmalaysia.com. Or you can join our monthly PCI training, which is HRDF claimable, the latest schedule is at http://www.pkfavantedge.com/training-programs/.

The Star Online Hacked

 

Like the entire population of Malaysia and everyone else on this planet except the few strange people from MARA (who obviously do not have children of their own, or if they do, have an extreme dull sense of what morality is) – I was keeping up with the story of the Malaysian Paedophile case. Everyone knows about it. Nur Fitri was busted and convicted as a paedophile (one who sexually abuses children – granted, he was caught with images, not actually abusing, but its just as bad), and MARA (the organisation that had given Nur Fitri the scholarship) went on the record stating that he deserves a second chance because he is a Maths Genius and an asset to the country. And that being convicted as a paedophile is like playing truant at school.

???

Anyway, while trying to get to the Star online, the message popup received was You’ve been hacked by the Syrian Electronic Army.

Tsk.

It’s actually not Star that got hacked. They attacked Gigya, a customer identity management platform that is apparently used by The Star. This is an attack that is prevalent since last year so I am not sure why Star is still having this issue. Any link to Gigya gets pointed to SEA’s images and servers. A quick look at Star’s load up and we see a whole bunch of references to Gigya.

Star, you need to remove that component from your site!

If you need help in testing your site for vulnerabilities, please contact us at avantedge@pkfmalaysia.com

 

© 2024 PKF AvantEdge

Up ↑