Categories ArchivesPCI

Why Visa’s TIP Doesn’t Matter standard

On Thursday, I posted about a memo released by Visa, Inc. last week discussing the acceleration of EMV adoption. There is much buzz going on right now as merchants now have a false sense of hope. PCI Assessments aren’t going anywhere any time soon. Why? One of the fundamental rules about PCI DSS is that you are dealing with five competing payment brands that handle their own enforcement. This means that as a merchant you can be a different level with a different payment brand, which may or may not affect how you validate compliance. A move by any one payment brand does not necessarily represent all five brands, nor does it guarantee that you will see the effects in ...

Continue Reading

Chip and PIN on the Way standard

Here comes EMV Cotton tail, hoppin’ down the PCI trail, Hippety hoppety, EMV’s on its way! While crammed in the back of a cab last night I flipped through some stuff on Twitter and found this post by Adrian Lane on Securosis describing Visa’s chip migration acceleration. Now that I am actually back in front of my computer and not bouncing around in the back of a PT Cruiser (the BACK back), I wanted to elaborate on how this impacts cardholders and merchants. If you read his post, you will learn some of the motivation for accelerating the change, but you miss a couple of key points. Chip and PIN doesn’t work if the card in your wallet doesn’t use ...

Continue Reading

Using Transaction ID for Payments standard

Where is it in your strategy? Each payment brand calls it something slightly different but they all have something like this now. Every transaction pushed through their network can now be identified with a unique transaction ID. With PCI DSS continuing to be a significant burden for merchants to handle, I can’t think of a better time to consider alternative methods for handling cardholder data after authorization. Merchants have many options when it comes to PAN replacement options. When it comes to tokens, there are typically two different options you might choose—either per-transaction tokens or per-card tokens. Merchants that want to perform analytics on purchasing behavior using just the payment card itself as a way to track purchases should go ...

Continue Reading

The Perfect World standard

I was recently asked in a meeting of the minds to describe my view of the perfect world as it related to PCI DSS. For those of you who read my work often, you may notice a few themes that I continue to write about. I believe that security is a business problem and security professionals have historically done a poor job of quantifying information security risk in a manner that makes sense to a business person. In my perfect world, companies would understand the value of the information they use to drive their business, and they would protect or transfer risk accordingly. Sounds simple on the surface, but if you have been in business in the last five years ...

Continue Reading

Audience Participation: Who wants stricter PCI DSS requirements? standard

WAY before I started serving my term on the PCI Board of Advisors, someone privy to the conversations once told me that the early discussions had people grouped into two distinct camps: Make PCI DSS more prescriptive and remove gray area! Remove some of the prescriptive nature of PCI DSS to allow people flexibility in meeting the standard! While I’m not at liberty to disclose conversations that happened two weeks ago, I’m wondering what the folks in the field think about a topic similar to this: should PCI DSS evolve to a stricter standard or more of a framework? After announcing our election to the board, I have had SEVERAL folks from varied industries and backgrounds give me words of ...

Continue Reading

A Brief Word about PCI DSS and Mobility standard

Big news Friday as the PCI Security Standards Council released several documents reversing their temporary ban on SOME mobile payment applications for the PA-DSS list. Essentially, purpose built devices are allowed, others are not. Remember, as long as the device complies with PCI DSS in production, you do not necessarily need a PA-DSS certification to deploy it. It certainly helps the discussions with your QSA or Acquirer, but it is not a requirement. In fact, not all devices CAN comply with PCI DSS, so that should be your first step. Go back to my guide on how to make a mobile device comply with PCI DSS for more information on key areas you need to investigate. If you can install ...

Continue Reading

Telephone-based Payment Security standard

Back in March the Council released an information supplement on the PCI SSC website entitled Protecting Telephone-Based Payment Card Data. Wait… MARCH you say? Brando, seriously, work on the timeliness of information. Yeah, yeah… I hear ya. I tend to post about things that I see in my daily experiences, and frankly, I thought we had the telephone-based payment problems solved based on the Council’s official FAQ 5362 on the topic. While the answer seems pretty complete to me, the PDF above also includes several other elements that may be useful to companies dealing with telephone-based payment issues. On Page 6 you will find a flowchart designed to help companies break down complex environments into a series of Yes/No questions. ...

Continue Reading

PCI Board of Advisors, and Truncation Best Practices standard

Last week was the first PCI Board of Advisors meeting for the recently elected board set to serve through June 2013. While it was a very productive session, I will not be able to blog about much of the meeting. It’s that way by design (rightfully so). At some point, I’ll have a few additional guidelines to work within, but ultimately I signed an NDA as did my company, and I plan on honoring the terms of that NDA regardless of my thoughts about it. Just to clarify, I plan to honor the terms in the NDA that I signed, or live by the consequences if I don’t. But that’s not what this post is about. I’ve been an advocate ...

Continue Reading

New PCI Board of Advisors Elected standard

The PCI Security Standards Council announced on Friday the new PCI Board of Advisors for 2011 and 2012. There are some familiar names on the list as some of these companies are in their third term on the board, and there are some new faces, namely RSA, the Security Division of EMC. I am the representative from RSA that will be participating on behalf of the company. This is something I am looking forward to, and for those of you that voted for RSA and me, I am grateful! I hope that I can live up to your expectations. In that note, if there are things you are interested in having me take to the board, I would be happy ...

Continue Reading

Visa’s Chargeback Management Guidelines standard

Visa released an interesting PDF yesterday entitled Chargeback Management Guidelines for Visa Merchants. Don’t be turned off by the stereotypical graphic on the front page, there is some good stuff in there for ALL parties involved, not just Merchants. QSAs should read this document to provide a better service to their customers if for nothing else than to see practices from a Non-US centric view. The document starts out with a great review of how payment systems work from the initial presentation of the payment instrument to a monthly bill showing up at the cardholder’s door. Granted, this is a document from Visa, so it has Visa branding and marketing all over this thing, but GENERALLY the process is similar ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!