jeff-hall

Jeff Hall

Principal Security Consultant

Jeff Hall is a principal consultant in Optiv’s advisory services practice on the Payment Card Industry (PCI) compliance team. Jeff’s role is to provide post-sales support and consulting to Optiv’s clients as well as providing support and mentoring to other Optiv team members. He has more than 30 years of experience in project management, information security, information security strategic planning, software evaluation, selection and implementation, voice and data networking, systems analysis and design, information system audit, systems programming, and data center operations.

 

PCI Compliance Every Day – Requirement 4

· By Jeff Hall ·

In this latest post of my Payment Card Industry Data Security Standard (PCI DSS) compliance blog series, we will explore Requirement 4 of the standard. People look at what this requirement entails and always ask me, “What is in here that has any sort of timing requirement?” “Interestingly, a lot,” is always my reply.

Continue reading

PCI Requirement Changes Coming in 2018

· By Jeff Hall ·

The end of 2017 is quickly approaching, and we thought we should remind you of the PCI requirement changes that are coming next year. Some of these deadlines will go into effect at the end of January, so if you are not on top of these you had better get moving. As of February 1, 2018, the following will become requirements for all organizations complying with the PCI DSS.

Continue reading

PCI Compliance Every Day – Requirement 5

· By Jeff Hall ·

In this latest post of my PCI compliance blog series, we will explore Requirement 5, which has four distinct requirements that imply they need to be addressed at least daily. The first requirement (5.1) necessitates that an organization maintain an accurate inventory of their devices and the operating systems on those devices. However, configuration management data base (CMDB) solutions are notorious for not being completely implemented.

Continue reading

PCI Compliance Every Day – Requirement 10

· By Jeff Hall ·

When people think of PCI business as usual (BAU) they do not typically see the requirements in section 10 as having much of anything to do with BAU. However, there are a lot of things that need to be monitored. The requirement almost everyone remembers in this section with an explicit BAU is 10.6.1.

Continue reading

PCI Compliance Every Day – Requirement 11

· By Jeff Hall ·

The most widely known requirements in PCI DSS 3.2 section 11 with a timing implication are the quarterly external and internal vulnerability scans (11.2). External vulnerability scans are required to be done by an approved scanning vendor (ASV). Internal vulnerability scanning can be done by anyone that is deemed qualified to perform the scanning (as defined by the Penetration Testing Information Supplement).

Continue reading

PCI Compliance Every Day – Requirement 7

· By Jeff Hall, Scott Chimner ·

This post focuses on PCI DSS requirement seven; restricting access to cardholder data and in-scope system components based on the “need to know” and/or the principle of “least privilege.” “Need to know” as defined in the PCI DSS is “when access rights are granted to only the least amount of data and privileges needed to perform a job.”

Continue reading

PCI Compliance Every Day

· By Jeff Hall, Scott Chimner ·

The title of this post sounds daunting, does it not? However, achieving PCI compliance every day is not as daunting as you might think. With the release of PCI Data Security Standard (DSS) v3.2, the PCI Security Standards Council (SSC) introduced the concept of business as usual (BAU). BAU is meant to embed those relevant PCI DSS requirements into the business operations of organizations.

Continue reading

PCI DSS Version 3.2 Released

· By Jeff Hall ·

Last Thursday, April 28, 2016 the PCI Security Standards Council (PCI SSC) released version 3.2 of the PCI Data Security Standard (PCI DSS). To save you the trouble of accessing the change log, we have put together some of the more notable changes in the new version.

Continue reading

PCI DSS: The 30-Day Patch Rule

· By Jeff Hall ·

Requirement 6.2 of the PCI DSS (6.1 in v2) has always created a lot of consternation and discussion. For those of you that have forgotten, requirement 6.2 states: “Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.”

Continue reading

PCI DSS: Significant Change vs. Periodic

· By Jeff Hall ·

No words or phrases in the PCI standards elicit more comments and questions than “significant change,” “periodic” and “periodically”. So what do these mean? Whatever you define them to mean. It’s up to each organization to come up with formal definitions. Those definitions should be based on your organization’s risk assessment.

Continue reading
(14 Results)