White Papers

PSC White Papers

To download the white papers please complete the form at the bottom of this page.


Simple Network Traffic Examination: A method for quicker threat detection

Author: Tom Arnold, Vice President

The purpose of this short article is to introduce you to some of the tools and techniques used to check network traffic on your internal network to hunt for potential threats. These techniques do not involve expensive IDS or data loss prevention technologies and are very effective in identifying system assets that may be involved with a realized threat. This is just an introduction to some valuable tools that do not replace a strong defensive posture as required in standards like PCI DSS. These tools are supplements that permit routine testing of networks and systems to determine if an attacker has gained a foothold through some other means, like phishing or social engineering. PSC’s forensics and incident response teams can help prepare your business and provide comprehensive testing of system environments to give you peace of mind.

FREE for Download


Incident Response in Amazon EC2: First Responders Guide to Security Incidents in the Cloud

Author: Tom Arnold, Vice President

The white paper examines the steps that a first responder should take in response to a detected security incident in the Amazon's Elastic Compute Cloud. Although Amazon’s environment is very robust, humans are still a part of building and fielding the application, running on EC2; as such, a fully secure environment can hardly be assured. The white paper focuses on the immediate action that an Amazon EC2 subscriber should prepare to take in advance of the forensic cavalry arriving on scene.

FREE for Download


Effective Segmentation to Meet PCI 3.0

Author: Nigel Tranter, Vice President

While segmentation of networks is not a requirement to pass PCI, it can be used to reduce the scope of a PCI assessment, by rendering certain systems, networks, personnel, processes, and locations as “out of scope”. This white paper illustrates some basic rules that will make the network management and systems easier to understand and help maintain secure isolation.

FREE for Download


Preparing for PCI DSS 3.0

Author: Nigel Tranter, Vice President

PCI DSS 3.0 represents a major change to the standard and significant effort for merchants and service providers. This white paper will guide you through the changes and pitfalls of the new standard.

FREE for Download


Current Threats Against Retailers

Author: Paul Guthrie, Vice President

The current wave of retail breaches has dramatically increased in sophistication. PSC has published a white paper that examines the current malware attacks and covers prevention and detection mechanisms that retailers can use to mitigate their risk.

FREE for Download


Maintaining PCI-DSS Compliance *Updated for PCI DSS 3.0"

Author: Paul Guthrie, Vice President

Maintaining PCI-DSS compliance between assessments is an extremely challenging proposition. This paper puts forward suggestions, guidelines and approaches that may be used to form a PCI-DSS compliance program to keep your company in compliance at all times.

FREE for Download


Tokenization - A Merchant's View

Author: Nigel Tranter, Vice President

PSC has noted tokenization is being used as a popular mechanism for merchants to reduce risk while maintaining compliance with PCI. However, it has been noted that token service providers are promoting tokenization as a mechanism to remove the need to be compliant with PCI - which is not true and not all tokenization systems are secure or provide actual risk reduction. Some tokenization systems may actually increase risk.

FREE for Download


Credit Card Information Surrogate "A Method and System for using surrogates to integrate PCI-level security for legacy information systems"

Author: Tom Arnold, Vice President

This paper presents a method and system for assignment of a consumer credit card surrogate, based on card account number issuing methods. The method offers a solution to the drawback presented by using a SHA1 message digest, specifically for credit card numbers. The proposed solution appears to have all the positive characteristics noted for a digest, and the surrogate I describe fits into a 16-digit numeric credit card field in legacy file systems or databases. I am pleased to introduce the Card Account Surrogate or Token. A national space account number that has the random aspects of a digest, uniquely identifies a customer account, has no value to an outside individual, and passes the Luhn check used to validate card account numbers.

FREE for Download


Implementing PCI "A Guide for Network Security Engineers"

Author: Tom Arnold, Vice President

This paper provides architectural guidance for network security engineers who are responsible for implementing systems and technologies that are in compliance with the PCI Data Security Standard (PCI DSS). It analyzes the requirements that are specifically related to network security and describes approaches for achieving compliance in accordance with the spirit of the standard, while respecting the cost of deployment. At the conclusion, a section covering next steps for the network engineer provides general guidance for the engineer chartered with implementing PCI compliant network architecture.

FREE for Download


10 Myths about PCI Compliance

  1. I'm a small merchant, who only takes a handful of cards, so I don't need PCI.
  2. PCI only applies to E-commerce companies.
  3. You only have to be compliant with the majority of criteria.
  4. If I only process debit cards I don't need to do PCI.
  5. I can wait until my business grows.
  6. I can just answer "yes" to all the criteria on the self-assessment.
  7. As a merchant I'm not liable if a credit card is compromised.
  8. I can wait until my bank asks me to be compliant
  9. As a Merchant, I did not sign anything, saying I would be complaint; therefore, I do not need to be.
  10. As a Merchant, I'm entitled to store any data.

FREE for Download


Virtualization and PCI

Author: Nigel Tranter, Vice President

Virtualization, should it be considered a requirement for PCI? What has the PCI SSC stated on the matter of virtualization? If built correctly, does a virtual system do a better job at protecting cardholder data than a traditional system?

FREE for Download


Download Request Form

PSC principals have written and presented in a wide range of forums, addressing issues in identity management, computer security, payments, and digital property. Please complete the following information to download the PSC white paper of your choice. Thank you.

* Mandatory Fields

*Name:
Title:
*Company:
*Email:
*Phone:
Please select the PSC white papers you would like to receive
Simple Network Traffic Examination: A method for quicker threat detection
Incident Response in Amazon EC2: First Responders Guide to Security Incidents in the Cloud
Effective Segmentation to Meet PCI 3.0
Preparing for PCI DSS 3.0
Current Threats Against Retailers
Maintaining PCI-DSS Compliance *Updated for PCI DSS 3.0"
Tokenization-A Merchant's View
Credit Card Information Surrogate
Implementing PCI "A Guide for Security Engineers"
10 Myths about PCI Compliance
Virtualization and PCI
 

Thank you!

Thanks for your submission. Someone will be contacting you via your preferred method shortly.

If you requested to download a white paper, check your downloads folder.

Reload white papers