Categories ArchivesPCI

PCI DSS for the Small Office standard

Before I jump into this topic, have I told you lately that I LOVE reader email? REALLY love it. Why? Because it gives me ideas on content to bring to you! If you have a question or idea for a post, please contact me! Now, on to the goods. A reader asked me about compliance in a small medical office situation. How should someone approach it? You probably got a letter from someone with a Self-Assessment Questionnaire, and you are unsure what to do! Here are a few things to consider: What Level Merchant are you? If you are a level 4, you do not have any mandatory reporting requirements per Visa, MasterCard, and Discover, but your processor or acquirer ...

Continue Reading

How to Make a Mobile Payment App Comply with PCI DSS standard

The PCI Security Standards Council recently made news when they announced that they would no longer be accepting mobile payment applications for PA-DSS compliance consideration. This means that vendors looking to certify new mobile applications or devices are now left in the lurch. But we have to dissect this rather knee-jerk reaction (see, there I go again) by the Council to understand exactly their intent. What they said was: “No mobile payment applications used by merchants to accept or process payment for goods and services would be approved or listed as validated PA-DSS applications unless all requirements can be satisfied as stated… Until it has completed a comprehensive examination of the mobile communications device and mobile payment application landscape, the ...

Continue Reading

How Deep is Deep Enough? standard

After my last post on the Lack of Understanding in QSAs, Brad emailed me and asked how much a QSA or ISA should look behind the curtain for someone like an Iron Mountain (analogy used in the post). I feel like a bad consultant/blogger because I only pointed out a problem, but didn’t point out a solution. It’s OK though, I’m over it now. How deep is deep enough? Here is a basic guideline: Is the service provider currently on the PCI DSS Global Registry of Service Providers, and is their listing current? If so, I think most QSAs would look at how the data is handled prior to the handoff, make sure that the handoff and contracts are compliant ...

Continue Reading

The Lack of Understanding in QSAs standard

This topic seems to keep coming back, and it’s getting more frequent. I mentioned this as an element of Sin #2, Compensating Control Chaos in my recent paper, and more companies are coming to my team to help them through an inexperienced QSA’s assessment. The worst part is that it is a self-fulfilling prophecy. If you squeeze the dollars you pay a QSA, they will squeeze the quality and thoroughness of what you are getting. It’s been a while since I have performed an assessment from start to finish. That said, I’ve seen people ((Meaning me.)) guilty of assuming that an Iron Mountain truck seen near a company’s data center equals secure off-site transport and tracking of goods—no questions asked. ...

Continue Reading

Why Trying to Change the Rules Doesn’t Work standard

Going against the grain isn’t easy. Go back through history and look at individuals that failed and succeeded doing just this. Most of them had incredible hardships and made huge personal sacrifices, including many who gave their life to the cause. OK, so I suppose I should take a moment to clarify. Changing the rules CAN work, just not very often, and none of you are really willing to die changing PCI DSS, are you? Didn’t think so. When PCI DSS was becoming more relevant, I saw two distinct camps of individuals responding to the movement. Typically the security folks were in favor of PCI DSS as they saw it as the justification to get the things they needed to ...

Continue Reading

Dave Hogan Leaves the NRF standard

Yep, it’s true. Looks like Dave is moving on for a more “traditional industry position.” In honor of Dave leaving his long tenure, I wanted to revisit my favorite five posts about Dave Hogan: Why the NRF is Dead Wrong The NRF Goes Past Where the Sidewalk Ends The Blame Game Review of PCI Congressional Hearing For the Record, I Love Dave Hogan! Blue skies, Dave, and enjoy! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

Seven Deadly Sins of a QSA (THE END) standard

QSAs are human, and humans make mistakes. Over the last several posts we have discussed seven deadly sins committed by QSAs, shown examples of what those mistakes look like, and given you guidance for how to avoid them or navigate your way through them if you find yourself in the middle of one. If you must comply with PCI DSS, one of the best investments you can make in your people is to put them through the same training QSAs go through and have them certified as Internal Security Assessors (ISAs). This way, you will have an additional check to know if a QSA is making one of these (or other) mistakes and have a chance at catching them before ...

Continue Reading

Seven Deadly Sins of a QSA (Part 16) standard

Sin #7 – Bowing to Threats about the Future Remember when we discussed consulting being a people business? The last sin we will cover is actually one that can be committed by either party. Maybe more accurately, committed by the QSA, but enabled by the assessee. QSAs sometimes give in to someone who says, “If you don’t mark this as compliant, I am giving my business to someone else.” I’m not talking about a contract issue or some other incidental dispute during the assessment, I’m referring to the rigor of the assessor being used as a bargaining chip. It’s My Way or the Highway As an assessor, I’ve been threatened like this multiple times over my career. Having someone in ...

Continue Reading

Seven Deadly Sins of a QSA (Part 15), Be My Valentine? standard

Sin #6 – Q/A Tunnel Vision The Quality Assurance (Q/A) program is in full swing at the PCI Security Standards Council. After companies started taking PCI DSS seriously and retaining QSAs, merchants and service providers realized that not every QSA interpreted requirements the same. One of the biggest complaints about the QSA community is variance in interpretation on key items that could impact the cost of compliance—positive or negative. The Q/A program was announced at the 2008 PCI Community Meeting ((If you are a stakeholder in PCI DSS and are not going to these meetings, you are missing out.)) and began to take effect shortly thereafter. QSAs were put on the remediation list as early as 2009. Myopic Assessment Views The ...

Continue Reading

Seven Deadly Sins of a QSA (Part 14) standard

Good PCI DSS, Bad Infosec Foundation You may also find that QSAs do not understand your environment thoroughly enough to make an accurate compliance call. More executives are telling me their recent QSAs struggle when assessing complex technology implementations. QSA work isn’t sexy like it used to be. Back in the day, my favorite projects involved helping companies rebuild their network to include security to close PCI DSS gaps. I solved complex problems involving hundreds of people, thousands of machines, and millions of dollars. It was taxing on my brain, but I absolutely loved the challenge! Solving PCI problems five years ago required considerable knowledge of how business processes and technology fit together. Most companies facing PCI DSS today are ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!