Categories ArchivesHeadlines

Herding Cats, October 2009 standard

Is now available!  This month?  “Using the Popular Press.”  Lots of SQUIRREL references for all you fans of Up, and of course, @Beaker. Check it out here! Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Continue Reading

Oracle cracks everyone up standard

Did anyone else giggle a little bit when they saw that Oracle delayed its quarterly patch release because it would coincide with the OpenWorld 2009 Oracle conference?  According to Oracle, they didn’t want administrators to have to choose between installing updates in a timely manner and attending the conference. That’s funny for me because I have NEVER met an Oracle DBA that was excited about pushing patches to their servers in a couple of days (the original release was slated for October 13, and the conference ends on the 15th).  In fact, between Oracle DBAs and z/OS Administrators, I don’t know who wins the prize for yelling the loudest about patching within thirty days. THIRTY days. Not two days.  THIRTY ...

Continue Reading

Visa Gets RSS! standard

Celebrate from the mountain tops!  Visa got some RSS!  Hopefully they will be dutifully (or have scripts) updating the feed, unlike the PCI SSC’s feed (which currently does not include their latest skimming guide) that traditionally lags behind.  RSS is a GREAT way to keep your stakeholders in touch with your programs, but you really do have to stay on top of it! Possibly Related Posts: Equifax is only half the problem, your SSN needs a redesign! Orfei Steps Down Two reports, many questions The Beginning of the End, No PCI DSS 4.0 in 2016 We Should Question Bold Claims that PCI Is “Highly Effective”

Continue Reading

MasterCard Clarifies their Position standard

FINALLY!  An official statement from MasterCard!  Last night, MasterCard posted a four page FAQ on their website to help us deal with the onslaught of buzz that came from their original posting.  Some of it anecdotal and humorous (albeit literally true), some of it from this very blog. Here’s the meat of what you need to know: Level 1 merchants that engaged an internal audit team before 15 June 2009 must  validate compliance with a QSA by December 31, 2010. Level 2 merchants must ALSO validate compliance with a QSA by December 31, 2010. Internal assessments MAY NOT be performed.  The way that MasterCard words this, it appears to be a punt over to the Council.  If the Council would ...

Continue Reading

PCI DSS Goes v1.2.1 standard

Don’t worry, you don’t need to tear up your existing compliance assessment.  Troy Leach recently alerted the world, via press release, that PCI DSS version 1.2.1 is now the most recent version of PCI DSS, though he states, “As there are no changes to the intention or requirements of the DSS, your compliance programs will be unaffected by the change from DSS 1.2 to DSS 1.2.1.”  This change is minor in nature, and does not constitute a new version per the PCI Lifecycle document released earlier this year.  Most of the changes are typos or alterations in the document, some based on new policies or fees.  Let’s walk through the changes. Three documents were modified with this new version.  For PCI ...

Continue Reading

Visa Sets Payment Application Security Mandates standard

As many of us in the industry had suspected, Visa has delayed its payment application security mandates two years to 2010 (newly boarded merchants) and 2012 (all merchants).  The information was officially released on June 24, but I certainly did not see any public reference to it until recently.  This is rumored to be largely in response to a low supply and high demand issue in the fuel industry. So those of you that were dealing with unrealistic deadlines, you’ve got a reprieve!  Keep pushing though, don’t be one of those guys limping in at the eleventh hour! Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a ...

Continue Reading

MasterCard to Fine Merchants for Non Compliance standard

OK, SOMEONE out there has some explaining to do. Like, right now.  Who poked MasterCard hard enough to wake them from hibernation? When it comes to actions against merchants, MasterCard has typically been much quieter than Visa.   We’ve had several customers come to us with new fines from MasterCard that will begin sometime in the next 18-21 months beginning NOW. Why the ambiguity?  None of our customers seem to have a date when the fines start!  This is a huge assumption here, but I will suggest that the fines would start after the 2010 deadlines for Level 1 & 2 merchants. Revisiting those deadlines, Level 1 & 2 merchants must produce a Report on Compliance from a QSA by December ...

Continue Reading

Guest Post: HITECH Alters HIPAA—Will HIPAA be ‘Hip’? standard

The following is a guest post by Bindu Sundaresan, a consulting manager in our Risk & Compliance consulting practice. With the current “non-stimulating” economy, there is a lot of talk about the “stimulus” bill which is impacting all areas of the US economy. One such impact is the reason for today’s blog post. A portion of the new economic stimulus bill, called the Health Information Technology for Economic and Clinical Health Act (the “HITECH Act”), will have a significant impact on Health Insurance Portability and Accountability Act of 1996(HIPAA). This new law revives HIPAA (which has been around for over a decade), but has many a time gone unnoticed/ not strongly enforced, and no incentive to comply, amongst the other ...

Continue Reading

The Final Word on MasterCard’s New Levels standard

It’s been a little over a week now since MasterCard tool the PCI world by surprise and changed their reporting requirements for Level 2 merchants.  Whether you are currently a Level 1 or Level 2 merchant, these changes affect you.  Here’s the summary and rundown. MasterCard posted a change to their Site Data Protection program that requires Level 2 merchants to use a QSA and perform an on-site assessment before December 31, 2010. In addition, Level 1 merchants that were previously self-assessing may not self assess anymore, and must use a QSA for their PCI Assessments.  This is a dramatic change from the current, industry wide requirement of self-assessing for merchants processing less than six million transactions annually, and allowing ...

Continue Reading

Much Ado About Nothing, Merrick v. Savvis Update standard

Don’t write Savvis off yet! Dave Navetta posted an update to the Merrick v. Savvis case that every QSA is closely watching. Savvis filed a motion to dismiss in response to the lawsuit. I’m not a lawyer, but I’m glad David is. He explains the reasoning, and even mentions that Merrick’s potential procedural error (or end-around) could get this case dismissed before the substantive merits of the case can be explored, thus continuing to leave the world in the dark about more potential liabilities involved with performing PCI Assessments. Go check it out! Possibly Related Posts: PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Equifax is only ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!