Categories ArchivesPCI

Mixed Mode and PCI DSS 2.0 standard

One way to get the spidey sense of a savvy security professional tingling is to mention the use of “Mixed Mode” virtualization in some kind of IT initiative related to compliance. Companies are trying to figure out how to build security into their virtualized environments in a way that will cover themselves from both a security and compliance perspective, and the industry in general is quite divided over this issue. Mixed mode, in the context of this post, is a term used to describe a virtual infrastructure that hosts both guests with PCI DSS data on them, and those without. Before we delve into the issues associated with the security concerns here, let’s levelset. PCI DSS, in it’s purest sense, is ...

Continue Reading

Where is Cloud in PCI DSS 2.0? standard

It doesn’t take a keen observer to notice that the term cloud doesn’t even exist in PCI DSS 2.0. In fact, the “Find” feature will do that for you. Sure, strides were made to include Virtualization into the fold (even in spite of many individuals arguing you don’t need to include it, just apply the standard to it), but that is only the first of many steps on the journey to the cloud. If you are on the very front edge of the cloud transformational wave, you may have had to discuss how you use cloud with your QSA. My bet? It was a painful discussion that left both parties leery of the other. My comments in this month’s Digital ...

Continue Reading

Scoping Fun with PCI DSS 2.0 standard

day 162 Karate Kick, by Hoggheff
OK, so as you can see from the comments, my post yesterday generated a bit of controversy. I must apologize for the 1.3.3 miss as I did my initial research after a long night of, um, networking at the PCI Community Meeting in Orlando. That post was put together with haste over the last three days, while trying to review and decipher some passionately scrawled chicken scratch. I went back and responded to the comments (no editing, it’s all there), and wanted to talk about another significant change I didn’t discuss yesterday. Page 10 of PCI DSS 2.0 adds quite a bit of text into the Scoping guidance that QSAs and assessees use to determine the correct scope for their ...

Continue Reading

PCI DSS 2.0 Release and Review standard

Yep, it’s out. Well, at the time I am writing this it is not out, but by the time you read this it will be! You can go download the standard and the summary of changes at the Council’s new site. I’m not going to go over EVERY change, but will highlight some of the more significant ones that will impact how companies approach PCI DSS. Here are some highlights that I think are interesting. Explanation of how and where PA-DSS applies is a key clarification that was well known in the industry but was not documented in the standard like this.  Very helpful. VIRTUALIZATION is FINALLY included throughout the standard. From page 10 in the scoping guidance through to ...

Continue Reading

American Express Updates Merchant Reporting Requirements standard

This week is a big one for those of us involved in PCI DSS, and all that implies. Check back on Thursday for a review of the changes in PCI DSS v2.0. I’ve completed an initial review using the embargoed version, but will double check my work based on what actually comes out on the 28th. In the meantime, American Express quietly pushed a new change to their Merchant Reporting requirements over the weekend. What was previously a requirement for the EU only is now a global requirement regardless of location. Level 2 American Express merchants (as defined by processing between 50,000 and 2.5 million transactions per year) must now submit an annual SAQ and quarterly network scans performed by ...

Continue Reading

Is Tokenization Safe? standard

In our industry, topics turn hot and cold in record time.  The hot topic this week seems to focus on the safety of using Tokenization as a solution for reducing compliance and security requirements. I found this blog post on StoreFront BackTalk by Walt Conway that poses the question, “What happens to my data if my token vendor goes bankrupt?” Earlier in the week, as part of my ISSA Editorial Advisory Board duties, I reviewed an article that posed some of the very same questions. Outsourcing the handling of payment data is a critical decision for merchants to consider, and it should not be taken lightly. Just like any other major decision any company makes, merchants should perform a risk ...

Continue Reading

Full Review of the 2010 PCI Community Meeting standard

Note: After my last post, I received a phone call giving me permission to fill in the blanks. So here’s what I really wanted to say! It’s almost like a madlib.  In fact, you should try that with the last post, I bet it would be fun! PCI 2.0 is just around the corner, and what better way to discuss it than by reviewing the PCI Community Meeting that just wrapped in Orlando! Much of the information we received was classified as confidential or embargoed, so unless you are a stakeholder (like a Participating Organization, QSA, ASV, or described by any other of the acronyms we have come to love) you are missing out. Of course, the first thing we ...

Continue Reading

Review of the 2010 ____ ____ Meeting standard

PCI 2.0 is just around the corner, and what better way to discuss it than by reviewing the ____ ____ ____ that just wrapped in ____! Much of the information we received was classified as confidential or embargoed, so unless you are a stakeholder (like a ____ ____, ____, ____, or described by any other of the acronyms we have come to love) you are missing out. Of course, the first thing we all heard was the ban on social media. Ironically, there was a press table in the back, so I’m not sure what those guys are going to be able to do with the info if they cannot write about it. Anyway, here’s my take: Wednesday’s session kicked ...

Continue Reading

MasterCard Service Provider Registration Explained standard

Edit (July 2, 2022): A very helpful reader let me know the PDF linked below was removed from the MasterCard site. I found the PDF and have re-linked to the latest version. It appears that MasterCard has removed the details on their registration program, which suggests it may no longer be active. MasterCard released (or re-released) a guide on how to become a registered and approved Member Service Provider (MSP) as a requirement to be listed as a compliant MasterCard Service Provider. The PDF linked above has a detailed process for completing this, including two major tasks spread out over several days. The first step is to apply for and receive your user ID under the MasterCard Registration Program. After ...

Continue Reading

PCI DSS versus Y2K standard

It’s been an interesting week in the PCI DSS world. I was a contributor to a Webcast from First Data on scope reduction using Tokenization.  We had the webcasts from the Council about the changes in PCI DSS coming on October 28, and I seem to have gotten a flood of emails reminding me about the community meetings in Orlando and Barcelona. From a global perspective, PCI DSS is slowly making strides in several locales, to the point where I often adjust my daily schedule to help customers in the pacific rim, middle east, Asia, and Europe. Australian and New Zealand based companies seem to be taking particular interest in PCI DSS, equivalent to the levels we saw in early ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!