Categories ArchivesPCI

Visa Issues Eliminating Cardholder Data Brief standard

Late last night (well for me in Central time), Visa posted a new brief on their CISP website regarding eliminating the storage of prohibited cardholder data. Essentially, this is just another data brief explaining how to look for and remove prohibited data. Prohibited data as defined by the PCI Data Security Standards, Requirement 3.2, includes such things as CVV/CVC Data (as found in the magnetic stripe of the card), CVV2/CVC2/CAV2/CID (3 or 4 digit code in the signature panel or front of the card), and the PIN or PIN Block. According to the brief, there has been a number of compromises recently where prohibited data was stored. For more strategies on eliminating cardholder data, please read my paper entitled “More ...

Continue Reading

PCI Requirement 8, what about Administrator accounts? standard

I had a customer ask me if they had to make the Administrator account/password comply with Requirement 8 of the PCI Standards. Requirement 8 deals with assigning a unique ID to each person with computer access to those systems dealing with cardholder data. Specifically, no generic or shared accounts should be used–especially those that are administrators! The answer is YES, they must comply with the requirements. What does that mean from an operational standpoint? We see customers attack this from various angles. For those corporate systems, they are typically just disabling the Administrator account, and putting special alerting in place to see if it is ever used (as in something bad is happening, go deploy the calvary). In the case ...

Continue Reading

WDOCD: Secure Tape Destruction standard

For our VERY FIRST installment of “What Do Other Companies Do” (WDOCD), Randy Smith has asked the following: “What specifications do other companies require for Secure Tape Destruction (especially for older tapes that could have pre-encryption account number data). To my understanding PCI does not provide a specification. What standard seems to be “secure enough” for older tapes potentially with unencrypted data? Do you feel that standard is OK to relax when all the account number data is encrypted?” Excellent question Randy! Virtually every company we work with has some sort of destruction policy for media, and it varies from using a bulk eraser, to pulling out the DeWalt and drilling a hole right through it (yes, one company we ...

Continue Reading

PCI News Flash! Portuguese & Spanish Translations! standard

Well they are finally done! The PCI Security Standards Council has released the Spanish and Portuguese versions of the PCI Standards and Security Auditing Procedures. Visit https://www.pcisecuritystandards.org/tech/supporting_documents.htm for more info! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

More Strategies for Eliminating Cardholder Data standard

Greetings folks. My new article entitles “More Strategies for Eliminating Cardholder Data” has now been published on the VeriSign website. This is an expansion of my previous article which primarily relied on Hashing. Based on clarifications from the card associations, hashing is not a silver bullet (do you know of any that are?) and hashed data is still considered cardholder data. The real risk is that rainbow tables can be created if someone knows how the hash is created. Since the keyspace is so small, the rainbow table creation is rapid. This article expands that and takes a more holistic approach to data elimination and talks about many other strategies. It does not address the culture shift question that someone ...

Continue Reading

Visa Slows Compliance Acceleration Program’s Penalties standard

eWeek is reporting that Visa has announced it is relaxing the fine and fee deadline of September 30th. Essentially, what this means for non-compliant merchants is that the proposed interchange rate hikes are lessened to simply say that non-compliant merchants will not be eligible for the “best available” tiered interchange rates. However, non-compliant retailers are still facing costs potentially in the millions by not being able to qualify for lower rates during the ever important holiday shopping season. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Continue Reading

PCI SSC Announces Milestone & German Translations standard

I know, I know… You guys JUST finished reading my previous post and now I’m posting something about PCI. The PCI-SSC released two items of note today. The first is that their participating organization program has surpassed 275 members. When you look at the list of members, there are some pretty impressive names up there! The first big summit is scheduled to be in September. In addition, the German translation of the PCI-DSS has been released. This brings the total translations to 6. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be ...

Continue Reading

This is a unique website which will require a more modern browser to work!

Please upgrade today!