Categories ArchivesPCI

Andrew Conry-Murray of Information Week writes: Bottom line, PCI compliance is mutable. While a compliance certification is valid for one year, a retailer may perform actions, or fail to perform actions, that take it out of compliance. On the one hand, this is sensible. PCI rules are like the dietary guidelines a doctor issues to a patient. It’s not the physician’s fault if someone with through-the-roof cholesterol ignores advice and eats like Homer Simpson. Could I have said it better? PCI? Program not Project? Homer Simpson? I think not. This is the reason why we created the PCI Program Management offering at VeriSign. This helps customers maintain compliance, and get management confidence that they are compliant every day. Oh yeah, ...

The PCI Security Standards Council looks as if they have released that FAQ they have been working on! I can tell you that this is a huge relief for everyone involved (merchants, service providers, QSAs, ASVs, etc.) as the volume of questions that the council was dealing with prevented them from turning around answers quickly. Course, quickly is a relative term. But consider their position. Here at VeriSign, we might submit 1 question every couple of months, but other QSAs may submit more. For every question that VeriSign (or any QSA) submits, they must get buy in on the answer from all 5 members before it can be turned around. You can see how this can easily take days or ...

In a recent update to their website, MasterCard has altered its merchant levels to match Visa’s, and is giving Level 2 merchants until December 31, 2008 to validate compliance. This is another entry in the long standing debate about compliance dates, and what that means for merchants. Most of these merchants are already being fined in conjunction with the Visa Compliance Acceleration Program if they have not validated, so the extended dates may indicate fines or tougher pressure by MasterCard as the date passes (this is PURE speculation). This should not add any pressure to existing Level 2 merchants that have not validated, though having 2 card associations looking at you is definitely worse than one. Possibly Related Posts: PCI ...

In Mike Dahn’s PCI Answers blog, a post was made over the break about the Secure hashing of PANs As this blogger has said on many occasions before, hashing is a double edged sword. Theoretically, you could create a hash that is as secure as a CipherText from an encryption algorithm. If you used a 10 kilobit salt (effectively the Key) plus the PAN, you would have something quite secure and would not run into issues with collisions. The problem is that you cannot change your keys without retaining the original PAN. If you did change your key, new hashes of the same PAN would not match old hashes. Perhaps the biggest issue, people treat hashes differently then they do ...

Visa just released slides from a webinar on Automatic Fuel Dispensers (AFDs) as it relates to skimming. Looking at the pictures they included, this is something we all could easily be victims of as there do not appear to be any external signs that you are becoming a victim of foul play (thanks Shane!). AFDs are notorious for having these kinds of issues simply because there is not someone watching over them like a cashier does at a traditional Point of Sale (POS). We’ve seen examples of this occurring in ATMs as well. Not only is this a call to duty for AFD manufacturers to become compliant with PED and PA-DSS standards, but it is a call for merchants using ...

Just got back from London (and I feel fantastic!), and they are really taking an interest in PCI. I found it very interesting that many of the Big 4 are still heavily involved in providing advice about PCI even though they are not Qualified Security Assessment Companies. The funny thing is that the UK seems to be where the US was about three years ago. Still in the discovery phase, and not a ton of C-level attention yet. Until Visa, Inc. puts something like the Compliance Acceleration Program in place over there, it will likely have a very slow adoption rate. Hopefully Visa will give people at least 24 months notice, and the banks will over-communicate with their merchants so ...

Yep, more PCI posts. Visa has just released their new Payment Application Security Mandates which give a new timeline for merchants to use PABP (or now PA-DSS) validates payment applications. If you are using a third party application and it is not validated by July 1, 2010, you will likely be subject to fines by your acquirer. There are other items leading up to that, but this is the big one for most merchants. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

We’ve all heard speculation, and even speeches where we were told this was coming, but it is now finally one step closer to reality. Today, the PCI Security Standards Council announced the Payment Application Data Security Standard, and its intention to release the new standard by Q1 of 2008. Unfortunately, to my knowledge the PA-DSS is not quite out of draft form yet, and is still sitting with the Members. Once it is clear of that review process, I hope that QSAs will be given an advance copy like we were of the proposed questionnaire. While we are prohibited in sharing the documents with our customers, we can speak to their makeup and how it might affect our them. Stay ...

A Visa informational release Friday revealed that 65% of Level 1 merchants have now validated their PCI compliance. This is really no big surprise based on the acceleration program (CAP) that was put into place in December of last year. The message to the remaining 35% is pretty clear. You are now in the minority. While I am sure those merchants affected by PCI are well aware of their compliance programs, this may be that final driver to get top level buy in so that projects are appropriately funded and tracked. Most companies we work with have plans, but no support. Let’s go to compliance! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in ...

The card associations are sternly scolding non-compliant merchants this year, and the attention around PCI related issues has never been greater. Why is it so hard to comply? Surely merchants have some level of security around their customer data, otherwise there would be a compromise every week. Is it technology? Is it cost? Or is it just a lack of motivation from the top down to wrap up these compliance projects? This year, we released a paper that reviewed 60 Reports On Compliance from 50 of our customers over a 15 month period. What surprised us was that what we perceived as one of the easiest requirements to meet–PCI Req 11.2, perform quarterly scans internally & externally–was the TOP failure! ...