A Visa informational release Friday revealed that 65% of Level 1 merchants have now validated their PCI compliance. This is really no big surprise based on the acceleration program (CAP) that was put into place in December of last year. The message to the remaining 35% is pretty clear. You are now in the minority. While I am sure those merchants affected by PCI are well aware of their compliance programs, this may be that final driver to get top level buy in so that projects are appropriately funded and tracked. Most companies we work with have plans, but no support. Let’s go to compliance! Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in ...

The card associations are sternly scolding non-compliant merchants this year, and the attention around PCI related issues has never been greater. Why is it so hard to comply? Surely merchants have some level of security around their customer data, otherwise there would be a compromise every week. Is it technology? Is it cost? Or is it just a lack of motivation from the top down to wrap up these compliance projects? This year, we released a paper that reviewed 60 Reports On Compliance from 50 of our customers over a 15 month period. What surprised us was that what we perceived as one of the easiest requirements to meet–PCI Req 11.2, perform quarterly scans internally & externally–was the TOP failure! ...

In a website posting yesterday, Visa clarified on their Merchants page the requirements around quarterly network scans. From their site…. The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Acquirers are responsible for ensuring that the quarterly network security scans required of their levels 1, 2, and 3 merchants are performed by an Approved Scanning Vendor. The Quarterly Network Security Scan is applicable to merchants with externally-facing IP addresses as specified by their acquirer. Quarterly Network Security Scans are not required of merchants that do not have externally-facing IP addresses. We’ve ...

Two weeks ago, we released our recent study on why companies are failing PCI. We based our report findings on 60 recent PCI assessments involving 50 different large companies. Since then, there have been multiple media outlets that have picked up and commented on the report. One in particular I’d like to review is an article by TechTarget (which interestingly enough, now has a new title). When Keith Gosselin of the Biddeford Savings Bank in Maine was told that our report showed that nearly half of the companies are failing requirement 11.2 (quarterly scanning), he stated, “It surprises me how high that number is.” I think this was a big shocker for us as well, but after letting the shock ...

In an effort to continue to boost compliance, Visa USA is now publishing a report that details their merchant compliance by level. According to my contacts inside Visa USA, this list will be updated on a monthly basis. We are all expecting the numbers of compliant Level 1 & 2 merchants to increase as fine deadlines approach. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

The PCI-SSC announced today (ok, the date says Tuesday, but it was not posted until this morning) that they are adding PIN Entry Device (PED) security requirements into their domain of responsibility. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?