thePCI Portal

Category: PCI DSS

A new kind of fine related to non-compliance – $100K+

Dwolla (the online payment system)  claimed that it encrypted all sensitive personal information and that its security practices exceeded industry standards and achieved compliance with the Payment Card Industry Data Security Standard (PCI-DSS). Supposedly the (USA) Consumer Financial Protection Bureau thinks that Dwolla failed to employ reasonable and appropriate measures to protect consumer data from…

PCI DSS 3.2

Have you read the PCI Security Standards Council blog post with a version 3.2 Q&A with Chief Technology Officer Troy Leach yet? Some of the highlights include: What’s in 3.2? evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers;…

Remove Protection from Word Document

Have you ever been stymied in copying text or other actions in a “protected” Microsoft Word document?  The kind of documents that are locked forms where you can only position the cursor or enter text in the designated form fields? The document is not encrypted or totally unavailable to you and accessing all of its…

PCI DSS Version 3.0 Retired

PCI DSS Version 3.0 is now retired (June 30 2015)!  Version 3.1 has been effective since April 2015. And this date marks the beginning of the one year countdown for use of SSL and early TLS as a security control (June 30, 2016).  New implementations must not use SSL or early TLS.  For the next…

Who is a service provider for a SAQ A ecommerce only Merchant?

The Scenario: Low volume ecommerce only merchant.  Website does a full redirect to a PCI compliant provider payment page so payment processing is fully outsourced.  The payment provider page is actually the Merchant’s acquirer (not a middleman). All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service provider (the acquirer!). Merchant does…

Does an SAQ-A merchant need ASV scans?

If a merchant is eligible to complete a SAQ-A to report on the results of their compliance assessment, are they required to engage an ASV (approved scanning vendor) to complete external vulnerability scans? The Merchant must always comply with their Acquirer’s direction. V3.1 of the SAQ A does not include requirement 11.2.2  Only SAQ A-EP,…