thePCI Portal

What is e-Commerce?

If I take payments from customers only via an application on their mobile handheld device, is that ecommerce?     (Should my assessor check e-commerce off in my ROC and AOC?)  The application is one I distribute and not a browser. What is e-Commerce? The term ecommerce is not in the PCI SSC Glossary.  There…

Vulnerability scans are not for req 6.1

Requirement 6.1 is my favourite PCI DSS requirement!  No fancy tools required.  No specialized knowledge.  It can be largely executed by a person on the helpdesk.    And the impact to the overall security posture organization can be huge.  More than that expensive network appliance.  More than that fancy SIEM.  More than that overpriced vulnerability…

PCI compliance and big P Politics

What is behind MPI’s decision to stop the acceptance of preauthorized credit card payments? Politics? Lobbyists? Pressure from the broker association? Lucrative broker commission payments? Maybe according to the Winnipeg Free Press. Saving money?  Apparently, but the savings are coming from the reduced scope of PCI DSS compliance by eliminating cardholder data storage (according to CBC reporting). …

The upcoming revision to the data security standard, version 4

The Council has a blog post about the upcoming revision to the data security standard, version 4. While talking about version 4, the council has specifically identified the following industry feedback related to the DSS: Authentication, specifically consideration for the NIST MFA/password guidance Broader applicability for encrypting cardholder data on trusted networks Monitoring requirements to…

Fishbowl – Connect and Share

Have you heard of fishbowl? I was recently introduced to it. It bills itself as a way to “Connect and share with people in your industry”. The groups of interest are referred to as “bowls” and there is one for PCI DSS practicioners. Supposedly there is a mechanism for anonymously sharing working conditions (and compensation…

Is an Audit Certification in your future?

There are many folks in the PCI industry who will soon require a second security certification.  For a lot of them, it will mean the pursuit of an auditor certification from this list: ISACA Certified Information Systems Auditor (CISA) GIAC Systems and Network Auditor (GSNA) Certified ISO 27001, Lead Auditor, Internal Auditor 1 IRCA ISMS…

Paranoid Physical Security best practice

  Purchase electronics, technology or anything that uses electricity in person at random retail brick and mortar locations whenever possible to minimize adversary’s opportunity to mess with your stuff during delivery. Especially items like keyboards, laptops, personal assistants, cameras, etc. Use your neighbour’s address for deliveries and all your mail. The risk of being poisoned…