New QIR Program for Integrators and Resellers

If you’re an integrator or reseller of a PA-DSS application or a PA-DSS software vendor implementing PA DSS applications within the merchant environment, then this will be of interest to you. The PCI SSC has announced the Qualified Integrators and Resellers program. This will train and certify software integrators and resellers on the secure installation… Read more »

PCI DSS Mandatory Risk Ranking

PCI requirement 6.2 “Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities” includes the additional note: “The ranking of vulnerabilities as defined in 6.2.a is considered a best practice until June 30, 2012, after which it becomes a requirement.” As the summer (at least in the Northern Hemisphere) is… Read more »

PA DSS Program Guide v2.0

The PA-DSS Program Guide v2.0 and Attestation of Validation (AOV) v2.01 are now available for immediate use. These document updates are primarily about alignment and clarification. They don’t represent a change to the PA DSS standard. Software vendors will be particularly interested in the pricing guide which details the fees charged by the PCI SSC… Read more »

SAQ Eligibility Guide

Choosing the right Self Assessment Questionnaire (‘SAQ’) can be a very tricky task, especially for merchants with multiple payment channels. The PCI SSC introduced five different SAQs: SAQ A – Card-not-present Merchants, All Cardholder Data Functions Outsourced. SAQ B – Merchants with Only Imprint Machines or Only Standalone, Dial-Out Terminals. No Electronic Cardholder Data Storage…. Read more »

PCI Compliance Claims: 3 Questions You Must Ask

One of the great challenges of PCI compliance (or indeed any other compliance activity) is understanding the jargon. Qualified Security Assessors (QSAs) talk extensively about “validation”, “assessment” and “evidence” all day long, but sometimes the reasoning behind these terms is obscured. Part of the issue here is that, statements can be made behalf of products… Read more »

The Cloud & PCI – Propagating Failure?

The cloud may be nebulous, but the security of your valuable data assets should be clearly defined. We’re all seeing a continued movement of services in to the cloud, especially in the Infrastructure-as-a-Service (IaaS) arena. The security issues around cloud computing seem, to us at least, to be similar to the traditional issues – hardening,… Read more »

Which Applications Are Eligible for PA DSS?

If you can answer “yes” to any of the following questions, then your application is not eligible for validation under PA DSS  Is this a beta version of the application? Does the application handle cardholder data, but the application itself does not facilitate authorization or settlement? Does the application facilitate authorization or settlement, but has… Read more »

What Isn’t 2-Factor Authentication?

We’re often presented with environments where the PCI DSS mandates that two-factor authentication (2FA) is required. Sometimes, we see implementations that sound like 2FA, but aren’t. What is 2FA? Two factor authentication is a generic term describing a system that strongly confirms the identity of the person trying to gain access. It does this by… Read more »

RSA SecurID Token Attack

You may recall reading in the press a while ago about an attack against RSA’s servers where confidential data concerning two-factor authentication keys was compromised. Originally, RSA seemed confident that this theft would not result in a realistic attack on the SecurID two-factor authentication system, but now it appears that at least one major client… Read more »