Items Tagged with "PCI DSS"
March 10, 2014 Added by:Tal Be'ery
Organizations may find themselves in a “PCI’s Catch 22″ situation: Implementing PCI’s recommended Smart Card Logon for Windows may be in breach of another PCI requirement: to change passwords on a regular basis.
January 16, 2014 Added by:john melvin
We have no way of knowing right now what the causes of the recent Target and Neiman-Marcus data breaches are. It just raises the same questions of: does compliance with PCI standards mean that everything is secure against attacks? If an application is compliant, is that enough? It doesn’t seem to be clear whether or not a company can completely “pass the buck” to the developers and maintaine...
August 21, 2013 Added by:Rohit Sethi
Determining which system components fall under PCI compliance can often be problematic for many companies. When it comes to PCI DSS (Payment Card Industry Data Security Standards) compliance assessments, scoping tends to become a major challenge.
April 25, 2013 Added by:Andrew Avanessian
PCI DSS Requirement guidelines certainly reinforce how compliance has hardened from suggestive or advisory directives to true mandates with hefty fines and strict consequences for those failing to take heed.
March 20, 2013 Added by:Patrick Oliver Graf
The safeguarding of private customer information has become a top priority for many organizations, thanks in no small part to government regulation and industry oversight, as we move toward an increasingly digital world.
March 09, 2013 Added by:Rohit Sethi
If you process, transmit or store credit card data in your software then you’re likely subject to the Payment Card Industry Data Security Standard (PCI DSS). One of the most onerous sections of the PCI DSS is requirement 6: Develop and maintain secure systems and applications.
February 21, 2013 Added by:Rohit Sethi
On February 15, the Open Web Application Security Project (OWASP) came out with its 2013 list of candidates for the Top 10 web application security flaws. The challenge is that while the Top 10 details security flaws, these flaws don’t map cleanly to requirements.
January 28, 2013 Added by:PCI Guru
Acquiring banks, for the most part, cannot answer basic questions about the PCI DSS, so we are supposed to believe that they are experts on retention of pre-authorization data based on a company’s vertical market and region? Talk about passing the buck...
December 05, 2012 Added by:PCI Guru
Put video monitoring on all your POS locations. This does not stop such a swap from occurring, but it does at least record such an event if it does occur. This is particularly important in situations where the customer also acts as cashier as with any self checkout situation...
November 07, 2012 Added by:PCI Guru
The first part of the mythology revolves around what PCI compliant services Amazon Web Services (AWS) is actually providing. According to AWS’s Attestation Of Compliance, AWS is a Hosting Provider for Web and Hardware. The AOC calls out that the following services have been assessed PCI compliant...
October 25, 2012 Added by:Robert Siciliano
Over the past 5 years a scam known as electronic funds transfers at the point of sale (EFTPOS) or skimming has been prevalent. Consumers commonly swipe both credit and debit cards through the in-store machines to pay for goods and services and hackers have been adept at coming up with ways to skim those cards...
September 25, 2012 Added by:PCI Guru
If a third party is providing your organization a service that has access to your cardholder data environment (CDE) or the third party could come into contact you’re your cardholder data (CHD), then that third party must ensure that the service complies with all relevant PCI requirements...
September 04, 2012 Added by:Robert Siciliano
“EMV transactions require an authentic card validated either online by the issuer using a dynamic cryptogram or offline with the terminal... EMV transactions also create unique transaction data, so that any captured data cannot be used to execute new transactions...”
September 03, 2012 Added by:PCI Guru
Just to be clear, I have never argued that pre-authorization data was not to be secured with the same diligence as post-authorization data. I just could not find anything in the PCI DSS that explicitly called out the coverage of pre-authorization data.
August 22, 2012 Added by:Tripwire Inc
This typical reaction I get in the US is many organizations see compliance as a “tax” and try to get away with doing the bare minimum. How do you and your organizations view compliance? Do you see it as a four-letter word, a nuisance, or as a step along the path to more effective security?
August 09, 2012 Added by:PCI Guru
The PA-DSS has a procedure that the PA-QSA can follow to determine that version changes have not affected cardholder data processing and the application’s PA-DSS validation. Without that validation, as a QSA, our hands are tied and we must conduct a full assessment of the application under the PCI DSS...