What is behind MPI’s decision to stop the acceptance of preauthorized credit card payments? Politics? Lobbyists? Pressure from the broker association? Lucrative broker commission payments? Maybe according to the Winnipeg Free Press. Saving money? Apparently, but the savings are coming from the reduced scope of PCI DSS compliance by eliminating cardholder data storage (according to CBC reporting). …
thanks to Dave Manouchehri for letting us know about the free parking at TD Place Stadium in Ottawa earlier this week! I wonder if credit card data was at risk? 🙂 Parking is hard. Ad below this line:
My experiences and observations around becoming an Internal Security Assessor. Hi, my name is Marlen, and I’ve been working with a QSA handling PCI Compliance on behalf of my employer, a level 2 merchant retailer of Wine, Beer, Spirits, and as of late, Cannabis (a legal product in our jurisdiction). We are now taking the…
The Council has a blog post about the upcoming revision to the data security standard, version 4. While talking about version 4, the council has specifically identified the following industry feedback related to the DSS: Authentication, specifically consideration for the NIST MFA/password guidance Broader applicability for encrypting cardholder data on trusted networks Monitoring requirements to…
Have you heard of fishbowl? I was recently introduced to it. It bills itself as a way to “Connect and share with people in your industry”. The groups of interest are referred to as “bowls” and there is one for PCI DSS practicioners. Supposedly there is a mechanism for anonymously sharing working conditions (and compensation…
There are many folks in the PCI industry who will soon require a second security certification. For a lot of them, it will mean the pursuit of an auditor certification from this list: ISACA Certified Information Systems Auditor (CISA) GIAC Systems and Network Auditor (GSNA) Certified ISO 27001, Lead Auditor, Internal Auditor 1 IRCA ISMS…
Purchase electronics, technology or anything that uses electricity in person at random retail brick and mortar locations whenever possible to minimize adversary’s opportunity to mess with your stuff during delivery. Especially items like keyboards, laptops, personal assistants, cameras, etc. Use your neighbour’s address for deliveries and all your mail. The risk of being poisoned…
Remain calm. There is no PCI DSS v4.0 yet. But from the recent community meeting it looks like v4.0 will become “objective” based. The new Software Security Framework (aka the S3 Framework) will be the Council’s first take using an “objective” based approach. (The Software Security Framework will incorporate the Payment Application Data Security Standard…
Did you know that the Verizon 2018 Payment Security Report has a PCI DSS Compliance calendar that is a great start to (or supplement to) an organization’s internal compliance calendar? Its not a new feature of the annual report, but its nice to be reminded its there and it appears to be updated for version…
SAQ A for PCI DSS v3.2.1 includes requirement 6.2. So don’t forget that redirecting webserver! So, patch that webserver. How do you verify that patching is happening? Review policies and procedures. Examine system components. Compare list of security patches installed to recent vendor patch lists. Ad below this line: