June 22, 2012 Added by:PCI Guru
“At least annually and prior to the annual assessment, the assessed entity should confirm the accuracy of their PCI DSS scope by identifying all locations and flows of cardholder data and ensuring they are included in the PCI DSS scope"...
June 13, 2012 Added by:PCI Guru
The biggest problem with PCI DSS standards comes down to the fact that humans are averse to being measured or assessed. Why? It makes people responsible and accountable for what they do, and few people want that sort of accountability – we all much prefer wiggle room in how our jobs are assessed...
June 12, 2012 Added by:Robert Siciliano
EFTPOS skimming — which stands for “electronic funds transfers at the point of sale” — involves either replacing the self-swipe point of sale terminals at cash registers with devices that record credit and debit card data, or remotely hacking a retailer’s POS server...
June 07, 2012 Added by:Andrew Weidenhamer
The level of scrutiny the PCI DSS has been subject to the last couple of years has been bad enough to accentuate it with the advent of the ISA program. The false sense of confidence the ISA program gives individuals is insanely bad for the industry. Like any other certification, the test isn’t difficult..
May 17, 2012 Added by:Stacey Holleran
Many small merchants—whether selling online or brick-and-mortar, or both—don’t have the technological background to understand the steps necessary for protecting the cardholder information and other sensitive data that passes through (and may be stored in) their business systems...
May 11, 2012 Added by:PCI Guru
The PCI SSC only requires its assessors document the services they provide in their assessment reports. While that offers a certain amount of transparency, when you read some of these ROCs, it becomes painfully obvious that some QSACs are assessing their own security services...
May 02, 2012 Added by:david barton
Credit card processors have valuable information that bad guys would love to get their hands on. So processors are the Fort Knox of the modern world. When bad guys are motivated, no amount of security can keep them out. Does that mean PCI-DSS standards are worthless?
April 26, 2012 Added by:PCI Guru
There is a lot of discussion on network segmentation, and this year’s presentation material indicates there are apparently still a lot of QSAs that do not understand the concept of network segmentation and what constitutes good segmentation from poor segmentation...
April 10, 2012 Added by:PCI Guru
The merchant is left to their own devices to know whether any of these mobile payment processing solutions can be trusted. I am fearful that small merchants, who are the marketing target of these solutions, will be put out of business should the device somehow be compromised...
April 04, 2012 Added by:PCI Guru
Most financial institutions purchase their software applications from third party development firms. With all of the regulatory changes going on in the financial institution industry, these software firms have been focused on those regulatory changes and not PCI compliance...
March 28, 2012 Added by:PCI Guru
All of you processors and acquiring banks that think the only proof of PCI compliance is some mystical PCI DSS Compliance Certificate, stop demanding them. They do not exist and never have. The document you need for proof of PCI compliance is the Attestation Of Compliance, period...
March 25, 2012 Added by:Chris Kimmel
One question you should be asking your penetration testing company is, “Do you also test my incident response?” This is an important piece of PCI compliance. As stated by section 12.9 of the PCI DSS v2, a company must implement an IRP and be prepared to respond to an incident...
March 01, 2012 Added by:Danny Lieberman
The first step in protecting customer data is to know what sensitive data you store, classify what you have and set up the appropriate controls. Here is a policy for any merchant or payment processor who wants to achieve and sustain PCI DSS 2.0 compliance and protect data...
February 24, 2012 Added by:Neira Jones
It is crucial that businesses understand which controls are needed to maintain the security of their information assets and it is therefore crucial that suppliers are assessed against the business regulatory and compliance framework...
February 20, 2012 Added by:PCI Guru
What is Visa USA trying to prove with this push of EMV? Apparently only Visa USA can tell us because, for the rest of us, there are no business cases we can construct to justify the switch to EMV. Obviously, Visa USA knows something that the rest of us do not. Or do they?
February 06, 2012 Added by:Neira Jones
We should always aim to reduce the frequency of security incidents by effectively securing networks, systems, applications and have the appropriate policies and processes in place, and the NIST report helps in providing guidelines on responding to incidents effectively...
Hacker to Release Symantec's PCAnywhere Sour... Jerry Shaw on 10-05-2015
PoS Malware Kits Rose in Underground in 2014... on 03-17-2015
New PCI Compliance Study... on 03-17-2015