Blog Posts Tagged with "PCI SSC"

Fc152e73692bc3c934d248f639d9e963

Pre-Authorization Data – The Card Brands Weigh In

January 28, 2013 Added by:PCI Guru

Acquiring banks, for the most part, cannot answer basic questions about the PCI DSS, so we are supposed to believe that they are experts on retention of pre-authorization data based on a company’s vertical market and region? Talk about passing the buck...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

PA-DSS Validation Clarification

August 09, 2012 Added by:PCI Guru

The PA-DSS has a procedure that the PA-QSA can follow to determine that version changes have not affected cardholder data processing and the application’s PA-DSS validation. Without that validation, as a QSA, our hands are tied and we must conduct a full assessment of the application under the PCI DSS...

Comments  (0)

145dfdfe39f987b240313956a81652d1

Small Tech Firms Pursue Level 1 Service Provider PCI Compliance

July 01, 2012 Added by:Stacey Holleran

Small technology companies are finding themselves in a unique business situation as prospective clients increasingly request software applications and hosting solutions that can accommodate secure mobile payment transactions, bringing these technology companies to the forefront as “merchant service providers”...

Comments  (0)

Ad5130e786d13531cc0f2cde32dacd0f

PCI’s Money Making Cash Cow Not So Good for the Industry

June 07, 2012 Added by:Andrew Weidenhamer

The level of scrutiny the PCI DSS has been subject to the last couple of years has been bad enough to accentuate it with the advent of the ISA program. The false sense of confidence the ISA program gives individuals is insanely bad for the industry. Like any other certification, the test isn’t difficult..

Comments  (1)

Fc152e73692bc3c934d248f639d9e963

A Reason Why the PCI Standards Get No Respect

May 11, 2012 Added by:PCI Guru

The PCI SSC only requires its assessors document the services they provide in their assessment reports. While that offers a certain amount of transparency, when you read some of these ROCs, it becomes painfully obvious that some QSACs are assessing their own security services...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Another Year, Another QSA Re-Certification

April 26, 2012 Added by:PCI Guru

There is a lot of discussion on network segmentation, and this year’s presentation material indicates there are apparently still a lot of QSAs that do not understand the concept of network segmentation and what constitutes good segmentation from poor segmentation...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

When Will PCI SSC Stop the Mobile Payment Insanity?

April 10, 2012 Added by:PCI Guru

The merchant is left to their own devices to know whether any of these mobile payment processing solutions can be trusted. I am fearful that small merchants, who are the marketing target of these solutions, will be put out of business should the device somehow be compromised...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Google Wallet and PCI Compliance

January 30, 2012 Added by:PCI Guru

Hackers could decrypt the PAN given the high likelihood that the PIN to decrypt the PAN could be derived from information on a smartphone. The nightmare scenario would be development of malware delivered through the smartphone’s application store that harvests the PII...

Comments  (0)

959779642e6e758563e80b5d83150a9f

On the Israeli Credit Card Breach

January 08, 2012 Added by:Danny Lieberman

The biggest vulnerability of PCI DSS is that it’s about 10 years behind the curve. When people in the PCI DSS Security Council in Europe confess to never having heard of DLP and when the standard places an obsessive emphasis on anti-virus, you know you're still in Kansas...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

The MPLS Privacy Debate Continues

December 21, 2011 Added by:PCI Guru

Given that at some point MPLS traffic has to technically co-mingle with other customers’ network traffic, how can the PCI SSC claim that MPLS is private? The answer is a bit disconcerting to some, but for those of us with an understanding of the engineering issues, it was expected...

Comments  (1)

Fe3139b2aae983885565da7757da08a8

Google Wallet and the Edge of PCI’s Regulatory Map

December 14, 2011 Added by:Ed Moyle

Folks might object to sensitive data being stored in cleartext within Google Wallet - I sure do - but the problem isn't so much Google Wallet but instead the fact that mobile devices are blurring the lines between what's a payment application and what's not...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Merchant Beware – New Mobile Payment Solution in the Wild

December 12, 2011 Added by:PCI Guru

Even if Square’s software encrypts the data, the underlying OS will also collect the data in cleartext. Forensic examinations of these devices have shown time and again that regardless of what the software vendor did, the data still existed in memory unencrypted...

Comments  (0)

37d5f81e2277051bc17116221040d51c

Nearly 80% of Retailers' Data at High Risk

November 24, 2011 Added by:Robert Siciliano

Now, after five years of pushing standards out to merchants and retailers, a Verizon study has found that 79% of retailers are noncompliant. No matter how you slice it, retailers are a target and must employ multiple layers of fraud protection to thwart cyber criminals...

Comments  (0)

1156f97fa8f23821bd838fe7d9283d90

Welcome to the PCI Prioritization Approach

October 27, 2011 Added by:David Sopata

Organizations often start implementing security controls on all of their systems throughout the company without really knowing what systems should be in scope or which systems should not be in scope for PCI. Hence, the PCI DSS Prioritization Document and Tool was developed...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

The EMV-Contactless World According to Visa

October 11, 2011 Added by:PCI Guru

If Visa were to work with the industry to produce a common API for EMV and contactless cards with PIN online, that would drive adoption of more secure cards in the US because there would be a business reason for adoption. Without such a driver, they are still a solution looking for a problem...

Comments  (8)

Fc152e73692bc3c934d248f639d9e963

It is Time to Address PCI Compliance Reporting

September 22, 2011 Added by:PCI Guru

The QA process: it all comes down to having used the correct language in responding to the ROC, rather than whether or not you actually assessed the right things. To add insult to injury, the PCI SSC advises QSACs to develop a template for the ROC with all the correct language written and proofed...

Comments  (3)

Page « < 1 - 2 - 3 > »