Categories ArchivesPCI

Verizon Report should be a Wake Up Call for the PCI SSC standard

Verizon recently released their annual state of PCI Compliance Report, which attempts to give a snapshot of current issues in the space as well as trending data over previous years. To summarize the report, the state of PCI Compliance is “not good.” It’s now 2015, more than 10 years after the first release of the standard, and we continue to struggle with compliance rates. In a Computer Weekly article, the GM of the Council says that “wake-up call for every business that cares about payment security.” Respectfully, I think that the results in this report should be a wake-up call for the Council. These findings combined with lower than expected compliance rates and continued breaches (none of which came from compliant merchants) ...

Continue Reading

Banks & Merchants are not ready for EMV standard

EMV, or that fancy chip thingie that many of you are starting to see in your banking cards here in the US, is an anti-fraud technology released in the 90s with global adoption. US markets are finally taking steps to encourage adoption here, and for the most part, nobody is ready. There is a key date coming up in October of this year. Essentially, merchants who have invested in EMV terminals that are capable of processing a transaction (meaning, the EMV slot can’t just be for show) will benefit from protections if counterfeit cards are used at their location. If they don’t, they are unable to seek relief for chargebacks coming from fraudulent charge reports. It’s the carrot method for ...

Continue Reading

New Whitepaper: Preventing Terminal Tampering standard

PCI DSS 3.0 is here, and from what I can see it appears that companies are scrambling to get the pieces in place to appease their assessors. One of those biggies is new requirement 9.9, which switches from a best practice to a requirement in the middle of this year. If you are just now starting to take a look at how this will affect your compliance programs, I’m afraid to say that you are behind. There are plenty of resources available for you to get into the technical, nitty-gritty components of this requirement. What I found was missing was a business discussion on the options your firm has to meet this requirement. I’m happy to announce a new whitepaper ...

Continue Reading

What am I missing? Outsource payments today! standard

I always enjoy meeting with colleagues in the industry as I learn something every time. I’ve had a chat with a few of you out there and I’m trying to figure out why more companies continue to insource their payment processing and complain about PCI DSS and breaches as opposed to just outsourcing. Thinking back to some of the challenges in previous jobs, I may have helped answer it thanks to a conversation yesterday morning. All providers of IT services want their customers to integrate their product or service into internal IT systems. It creates stickiness and makes it hard to change vendors. Tools like anti-virus, DLP, SIEM, and knowledge management platforms that achieve some level of integration rarely are ...

Continue Reading

Incentives in PCI DSS standard

ETA’s Transaction Trends publication recently featured an article by Darrel Anderson entitled Why PCI Compliance Isn’t Working. In it, he describes one of the problems that we’ve been exploring here over the last month or so—incentive structures for PCI DSS. At the ETA Strategic Leadership Forum, the CEO of a prominent payments company echoed this sentiment by suggesting that his peers in the industry should be invested in taking the bite out of processing payments. Darrel touches on this in his article when he discusses the complexity of PCI DSS and how merchants struggle with it. His first carrot is to make this process easy. But we shouldn’t be focusing on making PCI easier, we should be focusing on making ...

Continue Reading

Apple Pay is Not P2PE, and Does Not Replace PCI Compliance standard

Apple Pay’s announcement two weeks ago caused a flurry of activity—some of it right here on this blog. I had a chance to catch up with someone who is very close to the design of Apple Pay. I was able to get a few questions answered and I wanted to share those answers here with you all. Apple Pay’s NFC uses EMV. EMV is a standard which was implemented in both the chip and contactless variants for payments. It is effectively the first wide-scale system that uses the EMV Token standard released this year. Apple Pay is software that uses the NFC radio built into the iPhone 6/6+. Why did I make this distinction? Each technology (for example, PayWave and ...

Continue Reading

The Impact of PCI DSS is Up To You standard

After reflecting on the PCI Community Meeting last week, it seems that there is a groundswell building. We’re getting ready to release our updated PCI DSS book on October 24 (pre-order here), and in it (as well as in talks I’ve given since the release) we speculate that the changes in 3.0 are mostly minor and give the merchant more flexibility. While I still stand by this, it seems that the perception in the community does not align with this. I had many conversations last week from disillusioned merchants who are struggling to come up with solid plans for updating their programs. We got detailed in the book on how to address some of these issues, including new chapters on ...

Continue Reading

Does Apple Pay Signal the Beginning of the End of PCI? standard

Whether you are a fanboy or not, you have probably seen some news about Apple’s new Apple Pay feature in the iPhone 6. It appears that the sleeping giant of digital wallets is stirring from his slumber. Could this spell the end of PCI DSS for the majority of companies affected by the standard? The last few decades have seen a number of companies attempting to disrupt or revolutionize payments, but like the payment card brands themselves, they battled acceptance. Apple’s new iPhone 6 finally has Near Field Communication (NFC) built into the device, which means it can now interact with contact-less payment card readers. The dream of leaving your house with only your phone is not quite a reality ...

Continue Reading

PCI Community Meeting, 2014 standard

No snarky comments here1, and it’s time for the first of three community meetings starting tomorrow. These meetings have been going on every year since 2007 in Toronto, one year after the Council was formally announced. Even though my career has moved away from the life of a QSA, I have made every one here in the US, and several in Europe, some times as a QSA/ASV, other times as a Board of Advisor member, and finally as a sponsor. Last year, I wrote that 2013 was a pivotal year for PCI DSS. We got a new version of PCI DSS that has been controversial at best. It was an opportunity to fix a number of issues in the ecosystem, ...

Continue Reading

Will this Band-Aid help? standard

You know when you get a paper cut in the webbing of your fingers? How many of you just shuddered at the thought of such a minor, but memorable malady? Now, think about one of the times that you got in there really deep and had to find a band-aid. Those normal ones just don’t work! You need a special band-aid with the butterfly flaps on it. Then you can get on with your day without spreading more of your DNA on everything you touch. With all these POS breaches (like Home Depot this week), we need to address a paper cut. The paper cut here is the POS system. We can describe them as two machines with different life ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!