Categories ArchivesPCI

The following is a guest post by Rob Harvey. Rob is a Consulting Manager inside the PCI practice at VeriSign. ‘Tis the season! Everyone is in the giving mode this time of the year and VISA is no different. VISA announced in the last month a change in the service provider validation levels and reporting. It is also the season for reflecting on the past year and one of the biggest questions we get from our clients is, “Am I a service provider and if so what level do I need to validate against?” Beginning February 2009, VISA will use a modified two level approach for service providers which I hope will add clarity to the question. See the information ...

The day has come! I can’t tell you how many merchants have hounded me for compliance dates outside the US and Canada, and then looked at me like I just told them the sky was red when I could not provide them. Visa, Inc. has formally announced global compliance deadlines (thanks JKA!). If you are a global retailer, or a retailer not based in the US or Canada, the pressure is now on to become compliant with the PCI Standard! Feel free to reach out to a VeriSign QSA if you need assistance! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to ...

The PCI Security Standards Council posted a document on Data Storage Do’s and Don’ts this week. This document does an excellent job breaking down the storage piece of PCI for merchants big and small, but especially for the smaller folks out there. Now, for all of you out there, don’t forget that PCI is NOT just a data storage initiative. Just because you don’t store cardholder data does not exempt you from being compliant. That said, locating your data is step one in understanding how you measure up to the PCI Standard. Consequently, it is also step one in VeriSign’s PCI Program Management methodology. How healthy is your compliance program? If it needs work, drop us a line and we’ll ...

Final round of questions from the field! The first question from this session was “Are end of life operating systems able to be used?” The thing that really worries me about retail is that information security does not seem to be built into the price of goods on the shelf. When someone asks if they are expected to replace hundreds or thousands of devices for PCI Compliance because Microsoft will not support them anymore, I worry more about the overall security of the company. This seems like a reactive approach without any forward strategy, which is unfortunately fairly common. I understand the business implications here. If your competitors are not doing this, you could face additional price pressures by trying ...

I always enjoy the Q/A sessions that the Council has at these events. I don’t know how many sessions I will be able to blog about (we only want the interesting ones anyway), but here’s the first bunch of Q/A from this session! The first question was around segmentation and SANs. I’d never heard the question asked that way, but most SANs by nature are segmented from each other. The more interesting point here is what constitutes segmentation? So many assessors only consider firewalls a method of segmentation. According to the documentation provided by the council, segmentation can be accomplished in multiple ways–not just by deploying firewalls. QSAs should be looking at the whole solution, not just fixating on a ...