The card associations are sternly scolding non-compliant merchants this year, and the attention around PCI related issues has never been greater. Why is it so hard to comply? Surely merchants have some level of security around their customer data, otherwise there would be a compromise every week. Is it technology? Is it cost? Or is it just a lack of motivation from the top down to wrap up these compliance projects? This year, we released a paper that reviewed 60 Reports On Compliance from 50 of our customers over a 15 month period. What surprised us was that what we perceived as one of the easiest requirements to meet–PCI Req 11.2, perform quarterly scans internally & externally–was the TOP failure! ...

In a website posting yesterday, Visa clarified on their Merchants page the requirements around quarterly network scans. From their site…. The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Acquirers are responsible for ensuring that the quarterly network security scans required of their levels 1, 2, and 3 merchants are performed by an Approved Scanning Vendor. The Quarterly Network Security Scan is applicable to merchants with externally-facing IP addresses as specified by their acquirer. Quarterly Network Security Scans are not required of merchants that do not have externally-facing IP addresses. We’ve ...

Two weeks ago, we released our recent study on why companies are failing PCI. We based our report findings on 60 recent PCI assessments involving 50 different large companies. Since then, there have been multiple media outlets that have picked up and commented on the report. One in particular I’d like to review is an article by TechTarget (which interestingly enough, now has a new title). When Keith Gosselin of the Biddeford Savings Bank in Maine was told that our report showed that nearly half of the companies are failing requirement 11.2 (quarterly scanning), he stated, “It surprises me how high that number is.” I think this was a big shocker for us as well, but after letting the shock ...

In an effort to continue to boost compliance, Visa USA is now publishing a report that details their merchant compliance by level. According to my contacts inside Visa USA, this list will be updated on a monthly basis. We are all expecting the numbers of compliant Level 1 & 2 merchants to increase as fine deadlines approach. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

The PCI-SSC announced today (ok, the date says Tuesday, but it was not posted until this morning) that they are adding PIN Entry Device (PED) security requirements into their domain of responsibility. Possibly Related Posts: PCI DSS 4.0 Released plus BOOK DETAILS! PCI Council Loses $600K in Revenue, PO Population on the Decline Why PCI DSS 4.0 Needs to be a Complete Rewrite Orfei Steps Down Should you be a PCI Participating Organization?

Late last night (well for me in Central time), Visa posted a new brief on their CISP website regarding eliminating the storage of prohibited cardholder data. Essentially, this is just another data brief explaining how to look for and remove prohibited data. Prohibited data as defined by the PCI Data Security Standards, Requirement 3.2, includes such things as CVV/CVC Data (as found in the magnetic stripe of the card), CVV2/CVC2/CAV2/CID (3 or 4 digit code in the signature panel or front of the card), and the PIN or PIN Block. According to the brief, there has been a number of compromises recently where prohibited data was stored. For more strategies on eliminating cardholder data, please read my paper entitled “More ...