Categories ArchivesPCI

The Madness of Sampling standard

The PCI DSS instructs assessors to sample certain parts of the population when validating compliance.  According to the PCI DSS, the sample “must be a representative selection of all of the types and locations of business facilities as well as types of system components, and must be sufficiently large to provide the assessor with assurance that controls are implemented as expected.”  That often leads to the next two questions—the answers to which tend to vary among assessors: What do you mean by representative selection (or how many is representative)? What do you consider sufficiently large to gain assurance? In the audit world, internal auditors that review IT systems will look to statistically valid samples as a method to determine how ...

Continue Reading

MasterCard/Visa Remove Reciprocity standard

Thanks to a fellow reader for pointing this out!  It appears that MasterCard and Visa (sorta) have removed the reciprocity statements from their level definitions.  Discover still has the reciprocity statement on their levels, American Express and JCB never used reciprocity for their level definitions (to my best recollection). Several industry insiders have been told that it was never the intent of MasterCard to force a merchant that accepts a single JCB card to go through an on-site assessment if they did not meet the MasterCard threshold.  Now it appears that this is the case as the official merchant level definitions reflect exactly this. Unfortunately, the road does not end there.  In fact, it starts forking like crazy. Now that ...

Continue Reading

Curious on Visa’s Deadlines? standard

Are you wondering which deadlines for PCI DSS have passed and which ones are upcoming?  Unfortunately, in most cases the deadlines you are looking for are in the past, with some exceptions.  That’s one of management’s challenges to PCI. Manager: “Tell me what the date is, and I’ll work toward the date.” You: “More than a year ago.” Manager: “I can’t manage to that. Go get an extension and tell me that date.” At this point, you pretty much should just make up a date.  Sure, an acquirer can give you a date, as can some payment brands, if you pick up the phone and call them. It does not ultimately mean anything if you are breached tomorrow. For those ...

Continue Reading

Visa Releases Data Field Encryption Guidance standard

Earlier this week Visa, Inc. released a best practice bulletin on data encryption that details five security goals ((paying homage to The Security Catalyst’s “3s and 5s” rule)), and thirteen best practices that companies can implement to meet them. The five goals as listed in the bulletin are: Limit cleartext availability of cardholder data and sensitive authentication data to the point of encryption and the point of decryption. Use robust key management solutions consistent with international and/or regional standards. Use key-lengths and cryptographic algorithms consistent with international and/or regional standards. Protect devices used to perform cryptographic operations against physical/logical compromises. Use an alternate account or transaction identifier for business processes that requires the primary account number to be utilized after ...

Continue Reading

The Social Media Ban standard

Attendees to the PCI Community Meeting in Vegas two weeks ago were treated to an interesting warning at the opening of the session. No social media or blogging during the meetings. I know that I picked up on it more than anyone else as I tweet and blog just a little. It didn’t take long for attendees to be warned about its use. During Bob’s opening remarks, he cautioned users not to tweet or live blog the events. The two-part irony behind the situation is that members of the press were welcomed into the meetings this year, and three of the five founding members of the council have embraced Twitter. Discover MasterCard (including four executives) American Express (albeit just a ...

Continue Reading

The Definition of Cardholder Data standard

The definition of cardholder data for most of us usually stops at the Primary Account Number, or PAN.  Those pesky digits that we have to protect as they run through our systems cause CIOs to cringe and security professionals to salivate over potential budget money.  Before you can embark on your information security journey, you need to understand what you must secure, and where it is.  I’ve posted about this before. As this is one of my most popular posts, I wanted to go back and revisit this post. When I wrote this post, we were still dealing with PCI DSS v1.2.1. While the definition has not changed in more recent versions, the landscape has quite a bit. I’ve updated ...

Continue Reading

Ask the Council standard

Vegas is in the books, baby!  I’d call it a successful community meeting.  The networking opportunities were fantastic, and the sights were awesome ((including seeing Russo dress up like Elvis which I did not take a picture of… see Bob? I can play within the rules :).  More on the handling of social media later…. it was not handled well.)).  For those staying in THEhotel, we got to walk off calories consumed with the long walk from the room to the conference center that we made at least twice daily.  Of course, it is Las Vegas.  It’s REALLY hard to concentrate when you know that you don’t have to walk far to be bombarded by flashing lights, bells, whistles, and ...

Continue Reading

PCI Community Meeting Update Schedule standard

The meeting this year promises to be a goodie!  What you won’t see from attendees (including me) is any live blogging or tweeting about the meetings this year.  I’m going to be responsible this year, and will blog about the event AFTER it happens. Don’t expect any confidential information to be revealed (though that’s not something you should expect from me if you have been reading my blog for any period of time now).  Concepts that you might find here will always apply knowledge in a general manner.  I will do some kind of wrap up posting series next week. So this week, look for us at the PCI Community Meeting, and come to the Welcome Reception sponsored by VeriSign ...

Continue Reading

Why You Should Love a PCI Hater! standard

Ahh, the haters.  Everyone that deals with PCI on a regular basis knows one.  Sometimes they take the form of a guy that doesn’t want to actually do his job, or an armchair security gal, or your nemesis that uses his industry position to irresponsibly spread false propaganda, or true security experts that point out serious concerns or flaws with the standard.  As security professionals, we key stakeholders (including QSAs, ASVs, payment brands, and the framers of the standard itself) need to listen to the last group intently to ensure that we understand the risks as it pertains to the changing threat landscape, making adjustments where appropriate to protect the data entrusted to us. PCI haters are valuable people.  By ...

Continue Reading

PCI Community Meeting, Vegas! standard

I hope to see many of you next week at the PCI Community Meeting in Las Vegas!  VeriSign will have a booth and is a sponsor for the event.  If you are going, please do stop by our booth and attend our sponsored cocktail hour!  We’ll have some goodies and some exciting news for everyone that stops to chat! At this point, I’m not sure what kind of coverage I’ll be able to provide from the meeting, but more on that soon. Before you arrive for the sessions, I urge you to review the myriad of information available on the PCI Security Standards Council website, including the recently published SIG papers, and prepare your questions.  This is your chance to ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!