If I take payments from customers only via an application on their mobile handheld device, is that ecommerce? (Should my assessor check e-commerce off in my ROC and AOC?) The application is one I distribute and not a browser. What is e-Commerce? The term ecommerce is not in the PCI SSC Glossary. There…
But someone told me that mobile apps on consumer devices are out of scope….. FAQ 1283 from June 2014 If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for…
Visa Canada’s document “The Future of Payment Security in Canada” published in October 2017 has a lot of interesting information. In addition to an overview of the fraud landscape in Canada it outlines the steps they are taking to reduce fraud. 1. Devalue Data 100% EMV Chip-Enabled Point-of-Sale (POS) Tokenization 2. Protect Sensitive Data Contactless…
Hopefully your work is complete (or well underway!) to move from SSL/early TLS to a more secure encryption protocol June 30 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged). And while you are at it, double check to…
The Register has a story about a breach at cloudy service supplier Aptos. Aptos has several cloud services. POS in the cloud. Ecommerce in the cloud (didn’t see that one coming!). etc. The timeline of what happened is: Feb 2016 – There was a breach and malware installed in the cloud. Nov 2016 – Aptos…
Best Practices for Securing eCommerce Information Supplement is a great doc full of comprehensive info! The objective of this information supplement is to update and replace the PCI DSS E-commerce Guidelines published in 2013. Its a comprehensive 64 page document. Useful info for anyone who does or is considering e-commerce. A couple of the tidbits…
If you are an SAQ-A merchant, or think you might be, there is some more guidance from the Council on your security requirements. Version 3.2 of SAQ A has introduced additional requirements “to help protect merchant websites from compromise and maintain the integrity of the redirection mechanism”. But this wont shock anyone who hasn’t descoped…
Thanks to the PCI Guru for bringing this story to my attention with this post. In the continued vein of “Don’t descope your redirecting ecommerce web server!“, the The Foregenix Digital Forensics and Incident Response Team talks about some of the risks that remain in your ecommerce payment channel, even if you are redirecting, using…
I got tired of hunting these down regularly. Here are the official TLS and SSL reference links in one spot: SSL/Early TLS: Working with an ASV on Failed Scans http://blog.pcisecuritystandards.org/working-with-an-asv-on-failed-scans INFORMATION SUPPLEMENT Migrating from SSL and Early TLS Version 1.0 Date: April 2015 Author: PCI Security Standards Council – Includes: Preparing a Risk Mitigation and…
The 2016 SIG election is over and the winning topic selected is “Best Practices for Safe E-Commerce“. The new SIG will kick off January 2016 but you can register to participate NOW. Ad below this line:
