jeff-hall

Jeff Hall

Principal Security Consultant

Jeff Hall is a principal consultant in Optiv’s advisory services practice on the Payment Card Industry (PCI) compliance team. Jeff’s role is to provide post-sales support and consulting to Optiv’s clients as well as providing support and mentoring to other Optiv team members. He has more than 30 years of experience in project management, information security, information security strategic planning, software evaluation, selection and implementation, voice and data networking, systems analysis and design, information system audit, systems programming, and data center operations.

 

PCI Requirement Changes Coming in 2018

· By Jeff Hall · 0 Comments

The end of 2017 is quickly approaching, and we thought we should remind you of the PCI requirement changes that are coming next year. Some of these deadlines will go into effect at the end of January, so if you are not on top of these you had better get moving. As of February 1, 2018, the following will become requirements for all organizations complying with the PCI DSS.

Continue reading 0 Shares

PCI Compliance Every Day – Requirement 5

· By Jeff Hall · 0 Comments

In this latest post of my PCI compliance blog series, we will explore Requirement 5, which has four distinct requirements that imply they need to be addressed at least daily. The first requirement (5.1) necessitates that an organization maintain an accurate inventory of their devices and the operating systems on those devices. However, configuration management data base (CMDB) solutions are notorious for not being completely implemented.

Continue reading 0 Shares

PCI Compliance Every Day – Requirement 10

· By Jeff Hall · 0 Comments

When people think of PCI business as usual (BAU) they do not typically see the requirements in section 10 as having much of anything to do with BAU. However, there are a lot of things that need to be monitored. The requirement almost everyone remembers in this section with an explicit BAU is 10.6.1.

Continue reading 0 Shares

PCI Compliance Every Day – Requirement 11

· By Jeff Hall · 0 Comments

The most widely known requirements in PCI DSS 3.2 section 11 with a timing implication are the quarterly external and internal vulnerability scans (11.2). External vulnerability scans are required to be done by an approved scanning vendor (ASV). Internal vulnerability scanning can be done by anyone that is deemed qualified to perform the scanning (as defined by the Penetration Testing Information Supplement).

Continue reading 0 Shares

PCI Compliance Every Day – Requirement 7

· By Jeff Hall, Scott Chimner · 0 Comments

This post focuses on PCI DSS requirement seven; restricting access to cardholder data and in-scope system components based on the “need to know” and/or the principle of “least privilege.” “Need to know” as defined in the PCI DSS is “when access rights are granted to only the least amount of data and privileges needed to perform a job.”

Continue reading 0 Shares

PCI Compliance Every Day

· By Jeff Hall, Scott Chimner · 0 Comments

The title of this post sounds daunting, does it not? However, achieving PCI compliance every day is not as daunting as you might think. With the release of PCI Data Security Standard (DSS) v3.2, the PCI Security Standards Council (SSC) introduced the concept of business as usual (BAU). BAU is meant to embed those relevant PCI DSS requirements into the business operations of organizations.

Continue reading 0 Shares

PCI DSS Version 3.2 Released

· By Jeff Hall · 0 Comments

Last Thursday, April 28, 2016 the PCI Security Standards Council (PCI SSC) released version 3.2 of the PCI Data Security Standard (PCI DSS). To save you the trouble of accessing the change log, we have put together some of the more notable changes in the new version.

Continue reading 0 Shares

PCI DSS: The 30-Day Patch Rule

· By Jeff Hall · 0 Comments

Requirement 6.2 of the PCI DSS (6.1 in v2) has always created a lot of consternation and discussion. For those of you that have forgotten, requirement 6.2 states: “Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.”

Continue reading 0 Shares

PCI DSS: Significant Change vs. Periodic

· By Jeff Hall · 0 Comments

No words or phrases in the PCI standards elicit more comments and questions than “significant change,” “periodic” and “periodically”. So what do these mean? Whatever you define them to mean. It’s up to each organization to come up with formal definitions. Those definitions should be based on your organization’s risk assessment.

Continue reading 0 Shares

FishNet Security News Brief - Credit Card Compromises

· By Jeff Hall · 0 Comments

As credit card breaches continue to make headlines, PCI compliance and security measures are being discussed by industry experts and consumers alike. So how does the retail industry take back control of their data? Senior Security Consultant Jeff Hall explains why compliance isn't enough and what retailers can do to protect themselves from attack.

Continue reading 0 Shares
(13 Results)