E-Commerce Startups deal with PCI compliance
Monday, November 3rd, 2008 Posted in Compliance, Merchant, PCI DSS, Payment Applications, Third-Parties | 11 Comments »When I see someone doing something well I light to put the spotlight on it. Damon has a great blog for startups and how they can deal with security issues. You see, small companies have different needs and interests than ...
PCI DSS version 1.2 differences and updates
Wednesday, October 1st, 2008 Posted in Approved Scanning Vendor, Compensating Controls, Compliance, Merchant, PCI DSS, PCI SSC, Service Provider, Third-Parties, Web Applications, Wireless | 11 Comments »On October 1, 2008 the PCI SSC released version 1.2 of the PCI DSS requirements. There are a number of changes as outlined previously in the update document. The PCI SSC has established a life cycle process that will ensure ...
Do cut cables affect PCI in the Middle East and Northern Africa?
Monday, February 4th, 2008 Posted in Third-Parties | 2 Comments »The Middle East has been affected by a fourth underseas cable being cut. I don't think this has had any impact on the state of PCI compliance, but it could have a minor impact on any e-commerce fraud that occurred ...
PABP Compliance Does NOT Imply PCI DSS Compliance
Sunday, December 30th, 2007 Posted in Service Provider, Third-Parties, Vendors, pa-dss | 10 Comments »It has come to my attention that software vendors do not fully understand their responsibilities regarding Payment Application Best Practices (PABP) compliance and their customers’ PCI Data Security Standard (DSS) compliance. PABP compliance does not automatically imply PCI DSS ...
NIST 800-48 Revision 1: Wireless Network Security for IEEE 802.11a/b/g and Bluetooth
Tuesday, August 14th, 2007 Posted in PCI DSS, Third-Parties, Wireless | 1 Comment »NIST released 800-48-Rev1 on 2007.08.02. Given events some recent events, the relevance of wireless security to PCI is unquestionable. If you'd like to submit comments on 800-48, they're due by 2007.09.14. Simply send an e-mail to 800-48comments@nist.gov with "Comments ...
Does The Right Hand Know What the Left Hand Is Doing?
Friday, June 8th, 2007 Posted in Card Brands, Encryption, Merchant, PCI DSS, Point of Sale, Service Provider, Third-Parties | 3 Comments »According to Digital Transaction News, Visa USA is ready to introduce account-level processing (ALP). “Visa claims ALP will allow smoother transitions to new cards for cardholders, and will let merchants, in partnership with issuers, design more effective rewards programs.†Sounds good ...
NIST 800-44 Version 2 - Guidelines on Securing Public Web Servers
Monday, June 4th, 2007 Posted in PCI DIY, Third-Parties, Web Applications | 1 Comment »The newest revision to NIST 800-44 was released on June 1st. While it's not the complete answer, it's certainly a useful document in the battle for web-application security.
TJX breach may have started with wireless access
Tuesday, May 8th, 2007 Posted in Credit Card Fraud, Merchant, Third-Parties, Wireless | 6 Comments »The WSJ reports: "The biggest known theft of credit-card numbers in history began two summers ago outside a Marshalls discount clothing store near St. Paul, Minn. There, investigators now believe, hackers pointed a telescope-shaped antenna toward the store and used a ...
What should a Penetration Test include?
Monday, November 13th, 2006 Posted in PCI DSS, Third-Parties | 11 Comments »Some people have asked (and others added to the confusion) about what is required by PCI DSS regarding requirement 11.3 requiring an annual penetration test. Here are some answers to those questions? Who? The requirement does not specify who must perform ...
Compliance of Connected Entities and Third-Parties
Sunday, November 5th, 2006 Posted in PCI DSS, Third-Parties | 2 Comments »Many people have asked "Do you need to audit third-parties?", "Where does the audit end?", "Does a connected entity, not able to access credit card data, need to be PCI compliant?" In a prior post we explained what a "connected entity" ...
