Categories ArchivesPCI

Your QSA may not be telling you the whole story. No, I’m not talking about sloppy assessment work. What I’m referring to is a clause that is supposed to be in your contract with your QSA. The DSS Validation Requirements for Qualified Security Assessors requires that QSAs put a notification in their contracts with their customers telling them that the ROC and supporting materials can be disclosed (Section A.6.3 in the doc linked above). Why does that language need to be in the contract? Because the QSA agrees to send the ROC to certain parties per the operating agreement! In a recent competitive bid situation, we were informed that two (of four) bidders DID NOT have such language in their ...

If you had any action on the Vegas odds for the release of the next DSS and what it might be called, time to cash in. I was speculating that it would occur around the time of the conference this year, and it would have been called 1.2 (vs 2.0). Ahh, you win some, and you lose some. The official release is here, and hints that there may be some new requirements coming down the pipe. They typically give 18-24 months to implement, so no need to panic now. But watch out for more controls around wireless! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI ...

Well? Will you? We’re waiting!?? Hopefully your bank is not taking THAT approach to checking on your status, but I know many merchants are feeling the heat. Jaikumar Vijayan from Computer World writes that when this deadline passes, most people will not be in compliance. If you read the letter of the law, yes, I would agree. But based on the guidance released by the council, if you are compliant with the rest of the standard, there is a pretty good chance you are compliant with 6.6. In this clarification, The Council declared the intent of the code review component to include “Manual web application security vulnerability assessment” and “Proper use of automated web application security vulnerability assessment (scanning) tools.” ...

One of the arguments for becoming PCI compliant is to keep this an industry regulated certification, versus having to deal with a federal mandate like Sarbanes-Oxley. People often ask me if I think PCI will become a federal mandate. I don’t think it is possible. Most federal mandates are designed to protect their citizens (I said MOST… ok?). The electronic payment system already has mandates to protect the citizens. For example, did you know that the Fair Credit Billing Act limits your liability to $50 for unauthorized charges? Personal experience says $0 liability if the physical card is still in your possession. PCI is designed to minimize losses to issuers and the brands caused by a credit card breach and ...

The PCI Security Standards Council released a statement yesterday defending the PCI-DSS against claims that the standard is not strict enough and will not protect against common attacks. This is the first real communication we’ve gotten from the council since the announcement of the Hannaford breach earlier this year. This statement is the first to be released to try and counter the negative press from Hannaford telling the world that they were compliant with PCI. This was the first breach of a Level 1 merchant that had validated compliance through a QSA. After reading the statement from the council, vague as it is, merchants should feel better about their PCI programs. The PCI DSS, if properly implemented on a merchant ...

Phillip Hallam-Baker commented recently on my post about the NRF, but specifically added to the chip and pin point. Thanks Phillip! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

While others at VeriSign are headed to ETA, I took the opportunity to speak about PCI to the OpenTravel Advisory Forum in Atlanta today. A shout out to an excellent group of individuals that are in one of the more difficult industries with respect to PCI (the other being Fuel Dispensing). Thanks for the hospitality! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Clement James writes about a security expert that slams PCI, stating that the breach in the news “was almost certainly the work of hackers exploiting a single code flaw on internal systems.” The expert goes on to say that “PCI takes a relaxed attitude towards internal machines.” While I agree that there is room for improvement on internal controls for PCI, remember, it’s not designed to protect your entire enterprise. It is a basline, and you should layer security on top. The challenge is this: not until the end of last year did we see a compliance validation rate exceeding 60% among Level 1 merchants. If you make the standard too hard, you will have little or no adoption. You ...