All news with #pci dss tag

🔒 AWS has completed the S&P Global Know Your Third Party (KY3P) assessment to validate its security posture and help customers reduce supplier due diligence. The KY3P assessment is evidence-based and evaluates operation of controls across privacy, network, access, and physical security domains. Results can be mapped to frameworks such as NIST CSF v2, PCI DSS 4.0, and ISO 27001:2022 to provide customers with standardized risk data and improved visibility into supply chain risks.

🔒 AWS announced the completion of PCI PIN and PCI P2PE assessments for AWS Payment Cryptography, expanding validations to include Key Management (KMCP) and Key Loading (KLCP) alongside the existing Decryption Management (DMCP). The coverage is extended to South America (São Paulo) and Asia Pacific (Sydney) Regions. These attestations allow customers to use PCI PTS HSM-certified, AWS-managed HSMs with compliant key management to simplify regulated deployments.

🔐 AWS Payment Cryptography is now available in South America (São Paulo), allowing latency-sensitive payment workloads to run closer to their applications. The fully managed service centralizes payment-specific cryptography and key management and is assessed as PCI PIN and PCI P2PE compliant. Organizations such as acquirers, payment facilitators, networks, switches, processors, and banks can reduce dependence on dedicated payment HSMs and auxiliary data centers. To start, update your AWS CLI/SDK and consult the service user guide for region-specific guidance.

🔒 AWS Backup now supports AWS PrivateLink for SAP HANA systems running on Amazon EC2. This lets customers route backup traffic over private VPC endpoints instead of the public internet, helping meet security and compliance requirements for regulated workloads. Organizations subject to HIPAA, PCI DSS and privacy frameworks can maintain end-to-end private connectivity for both application and backup data. The feature is available in all AWS Regions that support SAP HANA on EC2; to enable it, update the Backint agent and add the backup-storage VPCE to your VPC.

🔐 AWS Payment Cryptography is now approved by France’s national card network, Cartes Bancaires (CB), making it one of the first cloud-based payment cryptography services to receive this endorsement. The approval complements existing compliance credentials such as PCI DSS, PCI PIN, and ISO 27001, enabling customers to run compliant payment workloads in AWS without managing HSM hardware. The service is available in multiple AWS Regions and can be accessed via the latest AWS CLI/SDK.

🛡️ AI agents are being embedded into regulated workflows and are forcing a rethink of controls designed for human actors, including SOX, GDPR, PCI DSS, and HIPAA. Because agents act, adapt, and drift, controls that once relied on predictable human behavior can silently fail, collapsing segregation of duties and exposing sensitive data. CISOs should treat agents as non-human identities with least‑privilege access, strong credential management, continuous monitoring, and robust logging and change governance to keep regulated workflows auditable and defensible.

🔒 AWS announced that AWS Payment Cryptography successfully completed the PCI PIN audit and received an Attestation of Compliance with zero findings. The updated compliance package includes the PCI PIN AOC and a PCI PIN Responsibility Summary that clarifies shared responsibilities for developing and operating secure PIN-handling environments. The attestation confirms use of PCI PTS HSM-certified, fully managed hardware and PCI PIN-compliant key management; reports validated by the QSA Coalfire are available through AWS Artifact.

🔍 Regular cyber risk assessments are essential for identifying vulnerabilities, prioritizing remediation, and documenting security progress for leadership. CISOs receive actionable insights about exposed data, authentication gaps, and compliance obligations (for example, GDPR and PCI DSS). Analyses show one in ten cloud datasets is broadly accessible and more than 99% of compromised accounts lacked MFA. Typical assessments take two to four hours and deliver prioritized, immediately actionable recommendations.

🔒 Silent Push has uncovered a long-running Magecart web‑skimming campaign, active since around 2022, that loads highly obfuscated JavaScript from bulletproof hosting and targets six major card networks including American Express, Mastercard and UnionPay. The skimmer operates client-side, injecting an iframe to display a convincingly styled fake payment form that captures cardholder and shipping details before restoring the original form. Silent Push links parts of the infrastructure to domains hosted by a sanctioned/bulletproof provider and recommends measures such as Content Security Policy, PCI DSS adherence, timely CMS/plugin updates, enforced MFA and incognito-mode testing to detect stealthy injections.

🔒 AWS added two services — AWS Security Incident Response and AWS Transform — and the Asia Pacific (Taipei) Region to its PCI DSS certification scope. The updated PCI DSS package includes an Attestation of Compliance (AOC) and an AWS Responsibility Summary, both validated by Coalfire. Customers can retrieve the package in AWS Artifact, and AWS also published the PCI report package in NIST OSCAL JSON to enable machine-readable, automated compliance workflows.

🔐 AWS Payment Cryptography is now available in the Australia (Sydney) Region and adds AS2805 functionality. The update enables migration of node-to-node payment workloads to an elastic, AWS-managed service that uses PCI-certified HSMs, removing the need for standalone hardware appliances. The service integrates with AWS IAM and AWS CloudTrail and supports standard AWS CLI/SDK tooling to simplify deployment and compliance verification.

☁️ Global Payments partnered with Google Cloud to design a multi-region, highly available database architecture using Cloud SQL Enterprise Plus. The deployment spans three regions with zonal replication, read replicas, cascading replication, and Cloud SQL Auth Proxy integration to support low-latency reads and rapid failover. This configuration yields near-zero planned downtime, sub-minute RTO and zero RPO for Tier 1 workloads, while meeting PCI DSS, GDPR, and NIST requirements.

🔐 In episode 440 Graham Cluley and guest Scott Helme examine an unusual insider exploitation where Romanian prison self‑service web kiosks let inmates access and alter records. They also explore the growing threat of third‑party JavaScript on checkout pages and how the updated PCI DSS aims to curb Magecart‑style skimmers. Plus, the hosts cover automation with Keyboard Maestro and video creation using Screen Studio.

🔒Payment iframes are no longer a guaranteed sandbox: attackers have adopted pixel-perfect overlays and other injection techniques to steal card data from checkout pages. The article dissects the August 2024 Stripe skimmer campaign that compromised dozens of merchants and used a deprecated API to validate stolen cards in real time. It explains why legacy controls like X-Frame-Options and basic CSP fail when the host page is compromised and outlines a practical six-step defense combining strict CSP, real-time DOM monitoring, secure postMessage handling, and tooling changes required by PCI DSS 4.0.1.

🔒 AWS has renewed its PCI 3DS certification for Spring 2025 and expanded scope to include three additional services—Amazon Verified Permissions, AWS B2B Data Interchange, and AWS Resource Explorer—and three Regions: Asia Pacific (Thailand), Asia Pacific (Malaysia), and Mexico (Central). The compliance package includes an Attestation of Compliance (AOC) and an AWS Responsibility Summary to clarify shared responsibilities for handling payment card data. Coalfire served as the third-party Qualified Security Assessor (QSA) for the renewal. Customers can retrieve the detailed reports via the AWS Artifact self-service portal to support their audits.