PCI DSS and Regulatory Compliance Blog

Kiosks and PCI

Wednesday, June 4th, 2008 Posted in PCI DSS | 11 Comments »

Someone asked me a great question today about edge-case-PCI situations.  The question involved kiosks and their adherance to PCI DSS compliance. We know that kiosks can be just like any other point-of-sale (POS) if they are used as such.  That's ...

PCI Compliance and Virtualization

Wednesday, May 21st, 2008 Posted in Card Brands, Compliance, PCI DSS, Uncategorized | 4 Comments »

People have asked if Virtual Servers can be used in a PCI DSS compliant environment or if they violate requirement 2.2.1 which says, "Implement only one primary function per server".  The answer is that virtual servers, virtual clusters, and even ...

Cost of PCI compliance?

Monday, May 19th, 2008 Posted in Compliance, Merchant | 9 Comments »

Walt reminded me today of a conversation being had about the cost of PCI compliance.  Him and Scott have been calculating the cost of compliance within the USA.  They say it's about $2 billion or more, give or take.  I ...

Russian translation of PCI DSS and SAP

Thursday, May 8th, 2008 Posted in Card Brands, Europe, PCI DSS | 1 Comment »

Maxim Emm from Infosec in Russia has translated the PCI DSS, PCI Security Audit Procedures, and Navigating the PCI DSS into Russian.  This is an unofficial copy of these documents but could be helpful to people who would like this ...

PCI SSC Clarifies Requirements 6.6 and 11.3

Tuesday, April 22nd, 2008 Posted in PCI DSS, PCI SSC, Web Applications | 15 Comments »

Today the PCI SSC issued a press release about their clarification to PCI DSS Requirements 6.6 (web-application firewall vs. secure code review) and 11.3 (penetration testing).  If you check the supporting documents section of the website you will find the ...

Requirement 6.6 clarification

Wednesday, April 16th, 2008 Posted in PCI DSS, PCI SSC | 5 Comments »

It's almost midnight and I'm back in my hotel room.  What a long day!  I played "booth babe" and talked with prospective clients at ETA.  Seeing that attendance appears to be down from last year, we had a large group ...

Web-Facing Applications

Tuesday, April 15th, 2008 Posted in PCI DSS, Payment Applications | 6 Comments »

So the eternal question about the difference between PCI DSS 6.5 "web application" and the 6.6 "web-facing application".  The intent of 6.5 is for internally developed, Internet and intranet facing web-applications.  PCI DSS 6.6 is meant for Internet-facing web-applications, and ...

PCI Product Vendors @ RSA

Thursday, March 20th, 2008 Posted in Compliance, PCI DSS, Vendors | No Comments »

Over the past few weeks I have received hundreds of emails from vendors asking for a meeting at RSA.  As most media flacks, I've ignored these for the most part, but replied to any that mentioned "PCI" in their product ...

To CVV2 or not to CVV2?

Saturday, March 15th, 2008 Posted in Merchant, PCI DSS | 2 Comments »

Should I accept CVV2/CVC2 or not?  That is the question.  Long time readers may notice I link to Walt's content, but he offers up some great information, especially to Higher Education. Checking the security code does not affect the interchange fee ...

PCI DSS Wireless FAQ

Saturday, March 15th, 2008 Posted in PCI DSS, Wireless | 6 Comments »

Many people think that Wireless only applies to three requirements within the PCI DSS (1.3.8, 2.1.1, 4.1.1) and that it only applies to companies that have implemented wireless, but this is not the case. The latest Aegenis whitepaper / FAQ on ...
« Previous Entries
Next Entries »