PCI DSS

Fc152e73692bc3c934d248f639d9e963

Requirements that Cannot be Marked ‘Not Applicable’

October 01, 2011 Added by:PCI Guru

QSAs are questioning the relevance of this clarification in outsourced and environments totally operated through bank-owned terminals and networks. TPCI SSC is clarifying these requirements is to ensure that QSAs are confirming that outsourced environments truly are out of scope...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

It is Time to Address PCI Compliance Reporting

September 22, 2011 Added by:PCI Guru

The QA process: it all comes down to having used the correct language in responding to the ROC, rather than whether or not you actually assessed the right things. To add insult to injury, the PCI SSC advises QSACs to develop a template for the ROC with all the correct language written and proofed...

Comments  (3)

Fc152e73692bc3c934d248f639d9e963

Why Visa Is Upset

September 13, 2011 Added by:PCI Guru

Visa’s beef with my post is the implied connotation by using the term ‘Chip and PIN’ that a PIN would be required. All I was trying to do was to provide an easily Google-able term for people interested in EMV. Such a complaint from Visa is laughable if it were not so sad...

Comments  (2)

Fc152e73692bc3c934d248f639d9e963

Card Brand Merchant Level Tables

September 08, 2011 Added by:PCI Guru

Sometimes you can negotiate with your processor or acquiring bank to get your multiple legal entities treated as a single entity and do one compliance filing. The key is that you need to negotiate this change before you start your PCI compliance efforts, not after the fact...

Comments  (1)

Fc152e73692bc3c934d248f639d9e963

Kicked Out of the PCI DSS Club

August 31, 2011 Added by:PCI Guru

A Qualified Security Assessor Company (QSAC) has finally had their status revoked by the PCI SSC. Based on the FAQ, it seems that CSO was not able to provide documentation that supported their conclusions regarding assessment opinions in their ROC's and ROV's they had issued...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

A Carrot for Chip and PIN

August 25, 2011 Added by:PCI Guru

EMV and contactless technologies do not entirely solve the fraud problem. While they minimize fraud in the case of card present transactions, they do not even address fraud in card not present transactions. And it is in card not present transactions where fraud is most prevalent...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

PCI Compliance and Tokenization

August 12, 2011 Added by:PCI Guru

Tokenization does not imply encryption. However, encryption may be used for tokenization as can one-way hashing. When encryption is used as a way to tokenize sensitive information, the system receiving the token never has the capability to decrypt the token...

Comments  (2)

Fc152e73692bc3c934d248f639d9e963

Mobile Payment Application PA-DSS Cert Clarification

August 02, 2011 Added by:PCI Guru

The PCI SSC has stated in this latest clarification that Category 1 and 2 applications and devices can continue through the certification process. These mobile applications have been explicitly called out even though they have been part of the certification process in the past...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

PCI Compliance Scam? You Tell Me...

July 25, 2011 Added by:PCI Guru

These sorts of actions by organizations just add fuel to the fire for critics to use as another argument as to why the PCI compliance programs are pointless and organizations should not bother with complying with any of the PCI standards...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Some Opinions On PCI Self-Assessment Questionnaires

July 12, 2011 Added by:PCI Guru

Since there are multiple ways to conduct a transaction, no single SAQ will cover all of these transaction methods. And since an organization is only supposed to fill out and submit one SAQ to their acquiring bank, the question becomes, which SAQ should the organization use?

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

PCI SSC Nixes Certification for Mobile Payments Apps

June 30, 2011 Added by:PCI Guru

"Until such time that it has completed a comprehensive examination of the mobile communications device and payment application landscape, the Council will not approve mobile payment applications used by merchants to accept and process payment as validated PA-DSS applications..."

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

PCI SSC Releases Virtualization Guidelines

June 25, 2011 Added by:PCI Guru

If I had to take the PCI SSC to task, I would argue that cloud computing does not have anything to do with virtualization. Yes, a lot of cloud computing solution providers are using virtualized systems to provide their services, but not every cloud provider uses virtualization...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

PCI DSS in the Cloud... From the PCI Council

June 23, 2011 Added by:Anton Chuvakin

The long-awaited PCI Council guidance on virtualization has been released. This guidance does not focus on cloud computing, but contains more than a few mentions, all of them pretty generic. Here are some of the highlights and my thoughts on them...

Comments  (1)

C787d4daae33f0e155e00c614f07b0ee

Thoughts on Trustwave's 2011 Global Security Report

June 22, 2011 Added by:Robb Reck

We bring in these third party vendors because we trust that they have all the experience and knowledge with a given security product. But they are missing a critical piece: Experience with our systems. No technology solution is complete and ideal for every environment out of the box...

Comments  (2)

Fc152e73692bc3c934d248f639d9e963

VoIP and PCI Compliance

June 15, 2011 Added by:PCI Guru

When you start talking to security people about VoIP security, their knee-jerk response is to tell you that VoIP is secured by the corporate firewall. However, given that the VoIP protocols are stateless, even being behind a firewall really does not provide any protection...

Comments  (1)

5d3b9af5a870b9a89f8fa51fb390d488

Onsite Personnel "Don't Need No Stinkin' Badges" for PCI

May 30, 2011 Added by:Joe Schorr

To truly improve their security posture, companies should create (and enforce) a mandatory ID Badge policy for visitors and employees. An effective policy coupled with good security awareness training will go a long way to closing up this particular gap in PCI-DSS 2.0...

Comments  (2)

Page « < 8 - 9 - 10 - 11 - 12 > »