Posts Categorized: PCI DSS

ASV Scan Interference

Just a reminder of a regular observation we make when conducting ASV scans. It’s the issue of interference from an IDS or IPS system. Whilst such systems are useful in normal production situations, they must not interfere in any way with the ASV scan. If interference is detected by the ASV scan – we have… Read more »

Which Visa Europe Agent Are You?

Or, where do I register with Visa Europe once I’ve received my completed ROC? So you’re a service provider, you’ve been assessed by a QSA, and now you want some recognition in the form of a public listing on Visa Europe’s list of compliant service providers, or on the new Visa merchant agent listing web site. But which… Read more »

8 Recurring Themes Within The PCI DSS

The PCI DSS is a security standard that embodies a number of underlying principles. What are these principles? As with all PCI compliance questions, the answers usually lie in understanding the intent behind the requirements of the standard. Although there are many individual requirements detailed within in the PCI DSS, collectively they are based upon… Read more »

PA DSS Process Change

We’ve just been reading the monthly assessor newsletter as sent from the PCI SSC, and there’s an update in there that will affect a number of our PA DSS clients. It’s a process change relating to payment of the SSC’s invoice. To quote: “As soon as a ROV is submitted, we will invoice the application… Read more »

Cut-off dates for Visa Europe web listing

PCI DSS compliance logo credit cards

This update concerns Level 1 Service Providers (member agents). We just had an update from Visa Europe regarding the final cut-off dates for the December web listing. Normally, this is the 15th of the month (for listing during the same month). However, to accommodate the Christmas holidays, the cut-off for December will be Friday 7th… Read more »

Terminology & Mastercard Service Provider Registration

PCI DSS compliance logo credit cards

If you’re a service provider, you’ll want to read this information from Mastercard about registering with them as a PCI compliant service provider. But before you read it, it’s worth having a brief tour around some relevant terminology. If you’re a Merchant, you may find this interesting anyway, especially if the PCI compliance and registration… Read more »

New: Mobile Payment Acceptance Guidelines

Fresh from the PCI SSC – Mobile Payment Acceptance Guidelines. These are guidelines on payment acceptance using smartphone apps, and will be interesting reading to many of our readers. Download from here. Useful links: https://www.ambersail.com/what-is-sequel-injection/ https://www.ambersail.com/pci-dss-penetration-test-policy/ https://www.ambersail.com/blocking-your-penetration-tester/ https://www.ambersail.com/gdpr-now-the-dust-has-settled/

ASV Reports: The BEAST Inside

Many of our ASV customers are seeing scan reports making reference to a “BEAST” attack susceptibility. But what is it, and more importantly, how can you fix it? The bad news is that our ASV scan report is informing you that the strong encryption on your “secure” web server could be rendered useless and your… Read more »

New QIR Program for Integrators and Resellers

If you’re an integrator or reseller of a PA-DSS application or a PA-DSS software vendor implementing PA DSS applications within the merchant environment, then this will be of interest to you. The PCI SSC has announced the Qualified Integrators and Resellers program. This will train and certify software integrators and resellers on the secure installation… Read more »

PCI DSS Mandatory Risk Ranking

PCI requirement 6.2 “Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities” includes the additional note: “The ranking of vulnerabilities as defined in 6.2.a is considered a best practice until June 30, 2012, after which it becomes a requirement.” As the summer (at least in the Northern Hemisphere) is… Read more »