thePCI Portal

Category: PCI DSS

eye on PCI v4

full speed ahead on PCI v4

In October 2019, actual drafts of PCI DSS v4.0 will be distributed to stakeholders to review.  All Participating Organizations, Qualified Security Assessors (QSAs), and Approved Scanning Vendors (ASVs) will be invited to participate. Another round of feedback will occur in mid-2020. The request for comment (RFC) process will also be a key discussion topic at…

Vulnerability scans are not for req 6.1

Requirement 6.1 is my favourite PCI DSS requirement!  No fancy tools required.  No specialized knowledge.  It can be largely executed by a person on the helpdesk.    And the impact to the overall security posture organization can be huge.  More than that expensive network appliance.  More than that fancy SIEM.  More than that overpriced vulnerability…

PCI compliance and big P Politics

What is behind MPI’s decision to stop the acceptance of preauthorized credit card payments? Politics? Lobbyists? Pressure from the broker association? Lucrative broker commission payments? Maybe according to the Winnipeg Free Press. Saving money?  Apparently, but the savings are coming from the reduced scope of PCI DSS compliance by eliminating cardholder data storage (according to CBC reporting). …

The upcoming revision to the data security standard, version 4

The Council has a blog post about the upcoming revision to the data security standard, version 4. While talking about version 4, the council has specifically identified the following industry feedback related to the DSS: Authentication, specifically consideration for the NIST MFA/password guidance Broader applicability for encrypting cardholder data on trusted networks Monitoring requirements to…

The Future of Payment Security in Canada

Visa Canada’s document “The Future of Payment Security in Canada” published in October 2017 has a lot of interesting information. In addition to an overview of the fraud landscape in Canada it outlines the steps they are taking to reduce fraud. 1. Devalue Data 100% EMV Chip-Enabled Point-of-Sale (POS) Tokenization 2. Protect Sensitive Data Contactless…

Announcing PCI DSS version 3.2.1 !

May 2018 will welcome the arrival of a new version of the PCI DSS.  The minor update will contain NO NEW REQUIREMENTS and will be given the version number 3.2.1. The requirements that came into effect in February 2018 will have the following text removed: Note: This requirement is a best practice until January 31,…

I am NISTy, do i still have to comply with password complexity requirement?

PCI DSS V3.2 Requirement 8.2.3 requires 7 character long passwords   8.2.3 Passwords/passphrases must meet the following: Require a minimum length of at least seven characters. Contain both numeric and alphabetic characters. Alternatively, the passwords/ passphrases must have complexity and strength at least equivalent to the parameters specified above.   I think its reasonable that…

Does a Merchant or Service Provider HAVE to use a PCI Compliant Service Provider (or can that Service Provider be non-compliant)?

I think that everyone would agree that the a service provider does not necessarily have to be independently “assessed” as PCI DSS compliant.  They could also be assessed as part of the assessed entity’s assessment.  But do they need to be “assessed” or “compliant” at all? I think its a risk based decision that depends on…