Your QSA may not be telling you the whole story. No, I’m not talking about sloppy assessment work. What I’m referring to is a clause that is supposed to be in your contract with your QSA. The DSS Validation Requirements for Qualified Security Assessors requires that QSAs put a notification in their contracts with their customers telling them that the ROC and supporting materials can be disclosed (Section A.6.3 in the doc linked above). Why does that language need to be in the contract? Because the QSA agrees to send the ROC to certain parties per the operating agreement! In a recent competitive bid situation, we were informed that two (of four) bidders DID NOT have such language in their ...

If you had any action on the Vegas odds for the release of the next DSS and what it might be called, time to cash in. I was speculating that it would occur around the time of the conference this year, and it would have been called 1.2 (vs 2.0). Ahh, you win some, and you lose some. The official release is here, and hints that there may be some new requirements coming down the pipe. They typically give 18-24 months to implement, so no need to panic now. But watch out for more controls around wireless!

Well? Will you? We’re waiting!?? Hopefully your bank is not taking THAT approach to checking on your status, but I know many merchants are feeling the heat. Jaikumar Vijayan from Computer World writes that when this deadline passes, most people will not be in compliance. If you read the letter of the law, yes, I would agree. But based on the guidance released by the council, if you are compliant with the rest of the standard, there is a pretty good chance you are compliant with 6.6. In this clarification, The Council declared the intent of the code review component to include “Manual web application security vulnerability assessment” and “Proper use of automated web application security vulnerability assessment (scanning) tools.” ...

One of the arguments for becoming PCI compliant is to keep this an industry regulated certification, versus having to deal with a federal mandate like Sarbanes-Oxley. People often ask me if I think PCI will become a federal mandate. I don’t think it is possible. Most federal mandates are designed to protect their citizens (I said MOST… ok?). The electronic payment system already has mandates to protect the citizens. For example, did you know that the Fair Credit Billing Act limits your liability to $50 for unauthorized charges? Personal experience says $0 liability if the physical card is still in your possession. PCI is designed to minimize losses to issuers and the brands caused by a credit card breach and ...

The PCI Security Standards Council released a statement yesterday defending the PCI-DSS against claims that the standard is not strict enough and will not protect against common attacks. This is the first real communication we’ve gotten from the council since the announcement of the Hannaford breach earlier this year. This statement is the first to be released to try and counter the negative press from Hannaford telling the world that they were compliant with PCI. This was the first breach of a Level 1 merchant that had validated compliance through a QSA. After reading the statement from the council, vague as it is, merchants should feel better about their PCI programs. The PCI DSS, if properly implemented on a merchant ...