Categories ArchivesPCI

Is the Council Trying to Kill the QSA Program? standard

If you can believe, it has been nearly seven years since the last update to the Qualification Requirements for Qualified Security Assessors (QSAs). This document is the guide that assessors use in their business dealings with the Council. It explains how a firm can become a QSA Company, who is qualified to be a QSA employee, and how the ecosystem works around that whole group. The changes are quite substantial, as evidenced by the change log. The last entry, for 1.2, simply stated alignment issues with PCI DSS v1.2. This version has nineteen entries, including alignment with PCI DSS v3.1. I’m not going to review all the changes here, but I do want to highlight a couple of big changes. ...

Continue Reading

Verizon Report should be a Wake Up Call for the PCI SSC standard

Verizon recently released their annual state of PCI Compliance Report, which attempts to give a snapshot of current issues in the space as well as trending data over previous years. To summarize the report, the state of PCI Compliance is “not good.” It’s now 2015, more than 10 years after the first release of the standard, and we continue to struggle with compliance rates. In a Computer Weekly article, the GM of the Council says that “wake-up call for every business that cares about payment security.” Respectfully, I think that the results in this report should be a wake-up call for the Council. These findings combined with lower than expected compliance rates and continued breaches (none of which came from compliant merchants) ...

Continue Reading

Banks & Merchants are not ready for EMV standard

EMV, or that fancy chip thingie that many of you are starting to see in your banking cards here in the US, is an anti-fraud technology released in the 90s with global adoption. US markets are finally taking steps to encourage adoption here, and for the most part, nobody is ready. There is a key date coming up in October of this year. Essentially, merchants who have invested in EMV terminals that are capable of processing a transaction (meaning, the EMV slot can’t just be for show) will benefit from protections if counterfeit cards are used at their location. If they don’t, they are unable to seek relief for chargebacks coming from fraudulent charge reports. It’s the carrot method for ...

Continue Reading

The Impacts of Breaches: New Research! standard

Part of the reason why I went through the enlightening process of my third run through academia as a learner was to be able to contribute research back to the field. I’m happy to announce that my first paper is now public for download. Available for download through the Merchant Acquirers’ Committee is this piece that examines the economic impacts of breaches entitled, The Impacts of Breaches: A Survey of MAC Members on the Realities of Data Breaches. In it, I reveal research that helps to explain some of the economic realities of breaches. Here’s a preview, it’s not as bad as you probably think! I’ve also built an academic manuscript for this paper which goes into much more detail ...

Continue Reading

New Whitepaper: Preventing Terminal Tampering standard

PCI DSS 3.0 is here, and from what I can see it appears that companies are scrambling to get the pieces in place to appease their assessors. One of those biggies is new requirement 9.9, which switches from a best practice to a requirement in the middle of this year. If you are just now starting to take a look at how this will affect your compliance programs, I’m afraid to say that you are behind. There are plenty of resources available for you to get into the technical, nitty-gritty components of this requirement. What I found was missing was a business discussion on the options your firm has to meet this requirement. I’m happy to announce a new whitepaper ...

Continue Reading

What am I missing? Outsource payments today! standard

I always enjoy meeting with colleagues in the industry as I learn something every time. I’ve had a chat with a few of you out there and I’m trying to figure out why more companies continue to insource their payment processing and complain about PCI DSS and breaches as opposed to just outsourcing. Thinking back to some of the challenges in previous jobs, I may have helped answer it thanks to a conversation yesterday morning. All providers of IT services want their customers to integrate their product or service into internal IT systems. It creates stickiness and makes it hard to change vendors. Tools like anti-virus, DLP, SIEM, and knowledge management platforms that achieve some level of integration rarely are ...

Continue Reading

Incentives in PCI DSS standard

ETA’s Transaction Trends publication recently featured an article by Darrel Anderson entitled Why PCI Compliance Isn’t Working. In it, he describes one of the problems that we’ve been exploring here over the last month or so—incentive structures for PCI DSS. At the ETA Strategic Leadership Forum, the CEO of a prominent payments company echoed this sentiment by suggesting that his peers in the industry should be invested in taking the bite out of processing payments. Darrel touches on this in his article when he discusses the complexity of PCI DSS and how merchants struggle with it. His first carrot is to make this process easy. But we shouldn’t be focusing on making PCI easier, we should be focusing on making ...

Continue Reading

Apple Pay is Not P2PE, and Does Not Replace PCI Compliance standard

Apple Pay’s announcement two weeks ago caused a flurry of activity—some of it right here on this blog. I had a chance to catch up with someone who is very close to the design of Apple Pay. I was able to get a few questions answered and I wanted to share those answers here with you all. Apple Pay’s NFC uses EMV. EMV is a standard which was implemented in both the chip and contactless variants for payments. It is effectively the first wide-scale system that uses the EMV Token standard released this year. Apple Pay is software that uses the NFC radio built into the iPhone 6/6+. Why did I make this distinction? Each technology (for example, PayWave and ...

Continue Reading

The Impact of PCI DSS is Up To You standard

After reflecting on the PCI Community Meeting last week, it seems that there is a groundswell building. We’re getting ready to release our updated PCI DSS book on October 24 (pre-order here), and in it (as well as in talks I’ve given since the release) we speculate that the changes in 3.0 are mostly minor and give the merchant more flexibility. While I still stand by this, it seems that the perception in the community does not align with this. I had many conversations last week from disillusioned merchants who are struggling to come up with solid plans for updating their programs. We got detailed in the book on how to address some of these issues, including new chapters on ...

Continue Reading

Does Apple Pay Signal the Beginning of the End of PCI? standard

Whether you are a fanboy or not, you have probably seen some news about Apple’s new Apple Pay feature in the iPhone 6. It appears that the sleeping giant of digital wallets is stirring from his slumber. Could this spell the end of PCI DSS for the majority of companies affected by the standard? The last few decades have seen a number of companies attempting to disrupt or revolutionize payments, but like the payment card brands themselves, they battled acceptance. Apple’s new iPhone 6 finally has Near Field Communication (NFC) built into the device, which means it can now interact with contact-less payment card readers. The dream of leaving your house with only your phone is not quite a reality ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!