6:10 pm As a standard that pays a lot of attention to practical activities, the PCI Security Testing includes a range of activities. We frequently see confusion about what needs to be tested, how and when. At the end of this post is a link to our short guide to all PCI DSS testing requirements. Some key… Read more »
5:19 pm If you’re an integrator or reseller of a PA-DSS application or a PA-DSS software vendor implementing PA DSS applications within the merchant environment, then this will be of interest to you. The PCI SSC has announced the Qualified Integrators and Resellers program. This will train and certify software integrators and resellers on the secure installation… Read more »
4:43 pm PCI requirement 6.2 “Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities” includes the additional note: “The ranking of vulnerabilities as defined in 6.2.a is considered a best practice until June 30, 2012, after which it becomes a requirement.” As the summer (at least in the Northern Hemisphere) is… Read more »
5:16 pm If you’re a service provider, this message will certainly be of interest to you. As many of you will know, the process of registering as an agent is an important step in being recognised by Visa Europe as a PCI compliant service provider. Historically, this has meant finding an existing Visa member organisation (such as… Read more »
4:46 pm The PA-DSS Program Guide v2.0 and Attestation of Validation (AOV) v2.01 are now available for immediate use. These document updates are primarily about alignment and clarification. They don’t represent a change to the PA DSS standard. Software vendors will be particularly interested in the pricing guide which details the fees charged by the PCI SSC… Read more »
5:12 pm Choosing the right Self Assessment Questionnaire (‘SAQ’) can be a very tricky task, especially for merchants with multiple payment channels. The PCI SSC introduced five different SAQs: SAQ A – Card-not-present Merchants, All Cardholder Data Functions Outsourced. SAQ B – Merchants with Only Imprint Machines or Only Standalone, Dial-Out Terminals. No Electronic Cardholder Data Storage…. Read more »
6:11 pm One of the great challenges of PCI compliance (or indeed any other compliance activity) is understanding the jargon. Qualified Security Assessors (QSAs) talk extensively about “validation”, “assessment” and “evidence” all day long, but sometimes the reasoning behind these terms is obscured. Part of the issue here is that, statements can be made behalf of products… Read more »
5:05 pm The cloud may be nebulous, but the security of your valuable data assets should be clearly defined. We’re all seeing a continued movement of services in to the cloud, especially in the Infrastructure-as-a-Service (IaaS) arena. The security issues around cloud computing seem, to us at least, to be similar to the traditional issues – hardening,… Read more »
3:49 pm If you can answer “yes” to any of the following questions, then your application is not eligible for validation under PA DSS Is this a beta version of the application? Does the application handle cardholder data, but the application itself does not facilitate authorization or settlement? Does the application facilitate authorization or settlement, but has… Read more »
3:33 pm We’re often presented with environments where the PCI DSS mandates that two-factor authentication (2FA) is required. Sometimes, we see implementations that sound like 2FA, but aren’t. What is 2FA? Two factor authentication is a generic term describing a system that strongly confirms the identity of the person trying to gain access. It does this by… Read more »