This week gives us 2 interesting articles about PA-DSS
1. PCI Compliancy And The PA-DSS Protects Those Involved In E-Commerce
2. PA-DSS – Things to remember
пятница, 21 мая 2010 г.
вторник, 11 мая 2010 г.
latest certified PA-DSS applications. 11 may 2010
by the 11 th of may we have 7 new certified applications from 6 vendors:
4 of them are completely new and 3 are re qualified versions of old applications.
5 of them are POS applications and 1-Payment Gateway 1-Payment Midleware.
1. (NEW)AccuPOS 10 by Attitude Positive
2. (NEW)AccuPOS 11 by Attitude Positive
3. (NEW)Star~Lite by Auto~Star Compusystems, Inc.
4. (REQUALIFICATION)ICON 9.0X by Civica
5. (REQUALIFICATION) ChargeItPro 3.03 by Payment Processing Partners, Inc.
6. (NEW)ProfitMaster Payment Interface (PPI) by ProfitMaster Canada
7. (REQUALIFICATION) InFusion 3.50 SP3
by Partech
all information was taken from official site of PCI Council by the 11th may of 2010
4 of them are completely new and 3 are re qualified versions of old applications.
5 of them are POS applications and 1-Payment Gateway 1-Payment Midleware.
1. (NEW)AccuPOS 10 by Attitude Positive
2. (NEW)AccuPOS 11 by Attitude Positive
3. (NEW)Star~Lite by Auto~Star Compusystems, Inc.
4. (REQUALIFICATION)ICON 9.0X by Civica
5. (REQUALIFICATION) ChargeItPro 3.03 by Payment Processing Partners, Inc.
6. (NEW)ProfitMaster Payment Interface (PPI) by ProfitMaster Canada
7. (REQUALIFICATION) InFusion 3.50 SP3
by Partech
all information was taken from official site of PCI Council by the 11th may of 2010
Prepare to "Jackpotting Automated Teller Machines Redux"
In near BlackHat event 2010 in Las Vegas Barnaby Jack will show us a presentation about remotely and locally attacking ATM's and also an example of ATM rootkit. I hope it will be wery interesting because Jack's presentation in 2009 was halted by ATM Vendor because those vulnerabilities was 0-days and very critical. So get ready !
Here is some text from announcement:
"Jackpotting Automated Teller Machines Redux"
The presentation "Jackpotting Automated Teller Machines" was originally on the schedule at Black Hat USA 2009. Due to circumstances beyond my control, the talk was pulled at the last minute. The upside to this is that there has been an additional year to research ATM attacks, and I'm armed with a whole new bag of tricks.
I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the care presentation "Jackpotting Automated Teller Machines" was originally on the schedule at Black Hat USA 2009. Due to circumstances beyond my control, the talk was pulled at the last minute. The upside to this is that there has been an additional year to research ATM attacks, and I'm armed with a whole new bag of tricks.
I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I've got that kid beat.
The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software.
Last year, there was one ATM; this year, I'm doubling down and bringing two new model ATMs from two major vendors. I will demonstrate both local and remote attacks, and I will reveal a multi-platform ATM rootkit. Finally, I will discuss protection mechanisms that ATM manufacturers can implement to safeguard against these attacks.
Here is some text from announcement:
"Jackpotting Automated Teller Machines Redux"
The presentation "Jackpotting Automated Teller Machines" was originally on the schedule at Black Hat USA 2009. Due to circumstances beyond my control, the talk was pulled at the last minute. The upside to this is that there has been an additional year to research ATM attacks, and I'm armed with a whole new bag of tricks.
I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the care presentation "Jackpotting Automated Teller Machines" was originally on the schedule at Black Hat USA 2009. Due to circumstances beyond my control, the talk was pulled at the last minute. The upside to this is that there has been an additional year to research ATM attacks, and I'm armed with a whole new bag of tricks.
I've always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I've got that kid beat.
The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software.
Last year, there was one ATM; this year, I'm doubling down and bringing two new model ATMs from two major vendors. I will demonstrate both local and remote attacks, and I will reveal a multi-platform ATM rootkit. Finally, I will discuss protection mechanisms that ATM manufacturers can implement to safeguard against these attacks.
Passport® with PA-DSS Point of Sale System is using by Heartland, RBS WorldPay and many others
More Networks Certify Passport® with PA-DSS Point of Sale System
"GREENSBORO, N.C. – May 5, 2010 – Heartland Payment Systems (Dallas) for CITGO, Marathon and unbranded customers, along with RBS WorldPay, have approved Passport with PA-DSS point of sale system software for retailers on their networks. They join BP, Chevron, Concord (Gulf, Sinclair, Sunoco, Valero and unbranded), ExxonMobil, NBS/Cenex, and Shell software applications that are already shipping."
Passport has the most networks approved with a PA-DSS validated application for convenience store operators.
"GREENSBORO, N.C. – May 5, 2010 – Heartland Payment Systems (Dallas) for CITGO, Marathon and unbranded customers, along with RBS WorldPay, have approved Passport with PA-DSS point of sale system software for retailers on their networks. They join BP, Chevron, Concord (Gulf, Sinclair, Sunoco, Valero and unbranded), ExxonMobil, NBS/Cenex, and Shell software applications that are already shipping."
Passport has the most networks approved with a PA-DSS validated application for convenience store operators.
вторник, 4 мая 2010 г.
понедельник, 3 мая 2010 г.
latest certified PA-DSS applications. 3 may 2010
by the 3rd of may there are 7 new certified applications:
1. ActiveRetail Enterprise by Argility
2. IVR for Payment Gateway (IVRFPG) by Bay Talkitec
3. CAGE by Innovative Control Systems
4. OPERA Enterprise Solution by Mircos
5. X-Series TMS by Panasonic
6. VersaPOS by Systime Computer Systems
7. VenuemasterВІ by Ticketmaster UK
all information was taken from official site of PCI Council
1. ActiveRetail Enterprise by Argility
2. IVR for Payment Gateway (IVRFPG) by Bay Talkitec
3. CAGE by Innovative Control Systems
4. OPERA Enterprise Solution by Mircos
5. X-Series TMS by Panasonic
6. VersaPOS by Systime Computer Systems
7. VenuemasterВІ by Ticketmaster UK
all information was taken from official site of PCI Council
понедельник, 26 апреля 2010 г.
Application Security and pa-dss certification
I've posted my presentation from cardexpo. Firstly it is about importance of application security in a PCI Security area and of cause about a PA-DSS standard and advantages for application vendors and merchants for getting PA-DSS compliance.
пятница, 23 апреля 2010 г.
Hacking ATM
really good presentation by Dimitris Petropoulos about ATM and HSM hacking which combines all known and new attacks on PIN algoritms. Must see for everyone who is interested in PIN (IN)security :)
четверг, 22 апреля 2010 г.
NEW TOPIC: "Complying with PA-DSS" Requirement 5.2.1 (Practical guide to fix XSS vulnerabilitiess)
I topic "Complying with PA-DSS" i will show a different ways which will help you to comply with different Requirements.
So as we start to talk about web application security in previous topic lets continue in this area. The most popular web application vulnerability is XSS as u mentioned earlier so here is the guide for developers how to fix XS vulnerabilities and write secure code.
So as we start to talk about web application security in previous topic lets continue in this area. The most popular web application vulnerability is XSS as u mentioned earlier so here is the guide for developers how to fix XS vulnerabilities and write secure code.
Importance of web application security in PA-DSS certification
WhiteHat Security published report with different statistics about web application vulnerabilities which shows the importance of web application security assessment which is needed in Requirement 6.5 of PCI DSS and 5.2 of PA-DSS.
More on importance of application security in PA-DSS assessment in presentation from Cardexpo which will be available soon.
More on importance of application security in PA-DSS assessment in presentation from Cardexpo which will be available soon.
вторник, 20 апреля 2010 г.
OWASP Top 10 Final version Released
On April 19, 2010 OWASP released the final version of the OWASP Top 10 for 2010, and here is the associated press release.
The OWASP Top 10 Web Application Security Risks for 2010 are:
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
Now u must use those risks in PCI DSS and PA-DSS compliance assessments .
The OWASP Top 10 Web Application Security Risks for 2010 are:
A1: Injection
A2: Cross-Site Scripting (XSS)
A3: Broken Authentication and Session Management
A4: Insecure Direct Object References
A5: Cross-Site Request Forgery (CSRF)
A6: Security Misconfiguration
A7: Insecure Cryptographic Storage
A8: Failure to Restrict URL Access
A9: Insufficient Transport Layer Protection
A10: Unvalidated Redirects and Forwards
Now u must use those risks in PCI DSS and PA-DSS compliance assessments .
понедельник, 19 апреля 2010 г.
New topic: latest certified PA DSS applications
From this day i will post here the latest PA-DSS certified applications:
This week we have 2 press releases:
1. 17 april 2010: SalePoint Announces PA-DSS Validation of Trovato Point of Sale Software
2. 13 april 2010 Hypercom Payment Software Earns PCI PA-DSS Security Validation
This week we have 2 press releases:
1. 17 april 2010: SalePoint Announces PA-DSS Validation of Trovato Point of Sale Software
2. 13 april 2010 Hypercom Payment Software Earns PCI PA-DSS Security Validation
PA DSS and open source applications
Really good article about problems of certificating open-source applications.
As i see (And my point of view is the same like in article), the most problems lay on the process of development. Those things like SLDC, secure updates, change control and documentation of process is really hard to implement when u talk about open-source software. And of-cause there if a problem with payment for certification,i don't think that developers can pay 30k$ or about for certification precess )
As i see (And my point of view is the same like in article), the most problems lay on the process of development. Those things like SLDC, secure updates, change control and documentation of process is really hard to implement when u talk about open-source software. And of-cause there if a problem with payment for certification,i don't think that developers can pay 30k$ or about for certification precess )
пятница, 16 апреля 2010 г.
Developers Guide to PCI DSS and PA-DSS Requirements
вторник, 13 апреля 2010 г.
ATM's and PA-DSS
ATMs: PTS, PCI DSS, or PA-DSS? In 2 worlds the answer is:
PTS applies to the PIN pad component of ATM
PA-DSS applies to the software running on ATM (potentially)
PCI DSS applies to the company that drives the ATM network
more information here ATMs: PTS, PCI DSS, or PA-DSS? by Michael Dahn
PTS applies to the PIN pad component of ATM
PA-DSS applies to the software running on ATM (potentially)
PCI DSS applies to the company that drives the ATM network
more information here ATMs: PTS, PCI DSS, or PA-DSS? by Michael Dahn
понедельник, 12 апреля 2010 г.
ipad and PA-DSS
interesting article about Ipad Applications and PA-DSS link. BTW the first (if believe to authors) PA DSS compliant application is available in istore.
P.S. I take a look at List of Validated Payment Applications and did not find anything about this application. So u must be aware of such types of applications :)
P.S. I take a look at List of Validated Payment Applications and did not find anything about this application. So u must be aware of such types of applications :)
среда, 7 апреля 2010 г.
pcidssrussia 2010
In 17th march i make a talk in pcidssrussia2010 conference which was wery great event btw. I have 2 talks in this conference. One was about technical aspects of PCI DS Compliance where the main idea was "Thinking about purpose of requirement may help u to save time, money and make good solution which will be Secure and Compliant"
Another talk was about introduction to PA-DSS for beginners. Nothing special but good starting point.
download presentation (In Russian)
Another talk was about introduction to PA-DSS for beginners. Nothing special but good starting point.
download presentation (In Russian)
beginning
Hello my name is Alexander Polyakov. I work in a Digital Security Company as a lead of it security audit department and I also a head of our research group DSecRG which focused in finding vulnerabilities and research in enterprise application security area.
As I am also PCA QSA and PA QSA I decide to start new project in payment application security area and write here my research and thoughts about this. So ewerybody wellcome!
Подписаться на:
Сообщения (Atom)
