Blog Posts Tagged with "PCI SSC"

Fc152e73692bc3c934d248f639d9e963

Why Visa Is Upset

September 13, 2011 Added by:PCI Guru

Visa’s beef with my post is the implied connotation by using the term ‘Chip and PIN’ that a PIN would be required. All I was trying to do was to provide an easily Google-able term for people interested in EMV. Such a complaint from Visa is laughable if it were not so sad...

Comments  (2)

Fc152e73692bc3c934d248f639d9e963

Kicked Out of the PCI DSS Club

August 31, 2011 Added by:PCI Guru

A Qualified Security Assessor Company (QSAC) has finally had their status revoked by the PCI SSC. Based on the FAQ, it seems that CSO was not able to provide documentation that supported their conclusions regarding assessment opinions in their ROC's and ROV's they had issued...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Mobile Payment Application PA-DSS Cert Clarification

August 02, 2011 Added by:PCI Guru

The PCI SSC has stated in this latest clarification that Category 1 and 2 applications and devices can continue through the certification process. These mobile applications have been explicitly called out even though they have been part of the certification process in the past...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

PCI SSC Nixes Certification for Mobile Payments Apps

June 30, 2011 Added by:PCI Guru

"Until such time that it has completed a comprehensive examination of the mobile communications device and payment application landscape, the Council will not approve mobile payment applications used by merchants to accept and process payment as validated PA-DSS applications..."

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

PCI SSC Releases Virtualization Guidelines

June 25, 2011 Added by:PCI Guru

If I had to take the PCI SSC to task, I would argue that cloud computing does not have anything to do with virtualization. Yes, a lot of cloud computing solution providers are using virtualized systems to provide their services, but not every cloud provider uses virtualization...

Comments  (0)

Ebb72d4bfba370aecb29bc7519c9dac2

PCI DSS in the Cloud... From the PCI Council

June 23, 2011 Added by:Anton Chuvakin

The long-awaited PCI Council guidance on virtualization has been released. This guidance does not focus on cloud computing, but contains more than a few mentions, all of them pretty generic. Here are some of the highlights and my thoughts on them...

Comments  (1)

37d5f81e2277051bc17116221040d51c

Mobile Payments Set to Dramatically Increase

May 26, 2011 Added by:Robert Siciliano

The Payment Card Industry Standards Council is not yet granting approval to any mobile payment applications. With the explosive growth of the mobile payment industry, they are holding off and waiting to see which technologies rise to the top...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

E2E Encryption and Doctored Credit Card Terminals

May 26, 2011 Added by:PCI Guru

End-to-end encryption just moves the attack points, in this case out to the terminal at the merchant’s location. Worse yet, it also makes security of the merchant’s endpoint even more difficult than it already is because the techniques used in doctoring terminals can easily go unnoticed...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

Draft PCI DSS v2.0 “Scorecard” Released

May 18, 2011 Added by:PCI Guru

The biggest change I have found thus far is the removal of the requirement to observe network traffic as the Network Monitoring column is gone. Prior to this point, QSAs were required to obtain network traffic via WireShark or similar tool to prove that network traffic is encrypted...

Comments  (0)

Af9c34417f8e5e0d240850bb353b5d40

Proposal for an All-or-Nothing Secure Software Standard

May 10, 2011 Added by:Keith Mendoza

Secure software standards should be all-or-nothing. Either the software--and all of its dependencies--are compliant, or the software is not compliant. Not owning the library, or database, will not be an excuse to not meeting the standards...

Comments  (4)

Fc152e73692bc3c934d248f639d9e963

PCI QSA Re-Certification – 2011 Edition

May 10, 2011 Added by:PCI Guru

Regardless of whether or not software is PA-DSS certified, the bottom line is that a QSA is going to be required to assess the application for compliance with the PCI DSS and will have more work effort if the software is not PA-DSS certified...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

An Update On The MPLS Privacy Debate

April 25, 2011 Added by:PCI Guru

In the end, we will have to rely on the statements and representations of the carrier as to whether or not the network is private. Is this a good way to secure your organization? It is as long as your carrier never causes a problem...

Comments  (4)

Fc152e73692bc3c934d248f639d9e963

PCI SSC Updates the ASV Training Program

April 05, 2011 Added by:PCI Guru

The ASV training program has blindsided the ASV community as it was a total surprise. Yes, there has been talk over the years at the Community Meetings and in other venues regarding ASV qualifications and training, but nothing ever seemed to come from those discussions...

Comments  (0)

98180f2c2934cab169b73cb01b6d7587

Payment Card Industry Data Security Standards Overview

March 17, 2011 Added by:Jon Stout

In a nutshell, the PCI DSS requires companies to build and maintain a secure network. The purpose of the PCI DSS is not only to reduce the amount of payment card fraud and identity theft, but also the costs of mitigating the institutional risks associated with those activities...

Comments  (2)

Ebb72d4bfba370aecb29bc7519c9dac2

RSA 2011 PCI Council Interview with Bob Russo

March 09, 2011 Added by:Anton Chuvakin

Accidental exposure of cardholder data is a known risk. By identifying where the data truly resides first, through a tool or a methodology, should aid organizations in their assessment efforts and ongoing security...

Comments  (0)

Fc152e73692bc3c934d248f639d9e963

The “Magic” Vulnerability – Revised

February 16, 2011 Added by:PCI Guru

You have options to avoid a failing vulnerability scan because of an unsupported OS. The best method, and the one I most recommend, is do not use unsupported operating systems in the first place. However, as a former CIO, I do understand the real world and the issues IT departments face...

Comments  (2)

Page « < 1 - 2 - 3 > »