Definaitions, Roles and Responsibilities of PCI
Sunday, June 29th, 2008 Posted in Approved Scanning Vendor, Card Brands, Merchant, PCI DSS, PCI PIN, PCI SSC, QSA, pa-dss | 1 Comment »In the payments industry there exists the PCI guidelines. When we refer to PCI we are usually talking about the PCI DSS, although as anyone will tell you there is also the PCI PED, PCI PA-DSS, and others you should ...
Verify that Compensating Controls work
Tuesday, June 10th, 2008 Posted in Compensating Controls, Merchant, QSA, Service Provider | 1 Comment »If you build a new deck in your backyard, would you test it out before inviting your friends and family over for a bar-b-que? Well it turns out that many merchants are documenting compensating controls but not actually testing them ...
How deep do your PCI auditors need to go?
Saturday, September 15th, 2007 Posted in Merchant, QSA, Service Provider | 1 Comment »One of the more difficult questions to answer about PCI is how to define the scope of a project. This is a topic that does not receive much conversation because it is so very specific to the actual environment. ...
Standards for the Standard?
Saturday, July 28th, 2007 Posted in Compensating Controls, QSA | 3 Comments »PCI is confusing. The requirements themselves are simple enough, and aim to strike a balance between business objectives and prescribing network topology. I have found it a useful guideline at CSO-level, even when engineers find it a little frustrating, and ...
The Spanish QSA
Monday, June 4th, 2007 Posted in Approved Scanning Vendor, Europe, QSA | 6 Comments »If you download the latest QSA list, open it up and do a quick search for "Spain", you'll only come up with one name: Daniel Fernandez Bleda of Isecauditors.com, based right here in my home town of Barcelona. I'd had someone ...
What is the difference between QSAs?
Thursday, April 12th, 2007 Posted in PCI SSC, QSA | 4 Comments »(Please also read: Meet your auditor, Part 1 and Meet your auditor, Part 2) I read comments like this many times where one QSA says the others are not doing as good a job. There is a quote from an ...
5 Myths of PCI Compliance
Saturday, March 3rd, 2007 Posted in Card Brands, Compliance, Conferences, Credit Card Fraud, Merchant, PCI DSS, QSA | 2 Comments »I've been having this conversation with several of the Security Bloggers Network people and have come to a few conclusions. I would like to address some common misconceptions and address the PCI DSS compliance myths. Myth 1: PCI compliance has ...
PCI Compliance Validation for Canadian Merchants
Friday, February 23rd, 2007 Posted in Card Brands, Compliance, Merchant, QSA | 2 Comments »Each country and geographic region has its own set of quirks and idiosyncrasies. In San Francisco we don't like it when people say "Frisco" or "San Fran". In New York City when you ask for a hot dog ...
Level 2 Merchant Validation
Tuesday, February 13th, 2007 Posted in Compliance, Merchant, PCI DSS, QSA | 1 Comment »Max asks: From the literature i've consulted, it seems that the only actions i need to do if i am a level 2 merchant is fill out and submit my self-assessment and my network scan report. However, we have a consulting ...
PCI too prescriptive?
Tuesday, February 6th, 2007 Posted in Compliance, PCI DSS, QSA | 3 Comments »I want to thank Ed at SecurityCurve for posting a clarification on his concerns about PCI. I think his statements are true and something to be discussed. The question is always posed, "Is PCI too detailed or not ...
