Dwolla (the online payment system) claimed that it encrypted all sensitive personal information and that its security practices exceeded industry standards and achieved compliance with the Payment Card Industry Data Security Standard (PCI-DSS). Supposedly the (USA) Consumer Financial Protection Bureau thinks that Dwolla failed to employ reasonable and appropriate measures to protect consumer data from…
Have you read the PCI Security Standards Council blog post with a version 3.2 Q&A with Chief Technology Officer Troy Leach yet? Some of the highlights include: What’s in 3.2? evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers;…
Have you ever been stymied in copying text or other actions in a “protected” Microsoft Word document? The kind of documents that are locked forms where you can only position the cursor or enter text in the designated form fields? The document is not encrypted or totally unavailable to you and accessing all of its…
As a Merchant, you probably rely upon the PCI DSS compliance of third parties. Maybe you outsource event ticket e-commerce sales. So you contact the third party and inquire about their PCI DSS compliance. They say “no problem, we will send over our SAQ.” (An SAQ is not the best form of compliance assessment for…
PCI DSS Version 3.0 is now retired (June 30 2015)! Version 3.1 has been effective since April 2015. And this date marks the beginning of the one year countdown for use of SSL and early TLS as a security control (June 30, 2016). New implementations must not use SSL or early TLS. For the next…
In the same vein of the SAQ A versus SAQ A-EP considerations, like is your web hoster a service provider for SAQ-A and “Does an SAQ-A merchant need ASV scans?”. If a website uses a hosted payment page redirect, is the web server in scope for PCI DSS v3.x? You will not find a direct…
Not a QSA, ISA, PCIP, sponsor or employee of a participating organization AND interested in attending the North American community meeting in Vancouver? Two paths are available. Become a PCIP ($2245 USD for course and exam) and register for the meeting ($1295 USD). Total costs $3540, but you are now a PCIP ( includes first…
The Scenario: Low volume ecommerce only merchant. Website does a full redirect to a PCI compliant provider payment page so payment processing is fully outsourced. The payment provider page is actually the Merchant’s acquirer (not a middleman). All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service provider (the acquirer!). Merchant does…
The PCI SSC has announced the formation of a global task force charged with doing what it can to assist small merchants reduce their risk of attack by hackers and/or comply with the PCI DSS. Areas of focus are to include: Simplified Guidance. Best practices. Input to the council on current trends on issues and…
If a merchant is eligible to complete a SAQ-A to report on the results of their compliance assessment, are they required to engage an ASV (approved scanning vendor) to complete external vulnerability scans? The Merchant must always comply with their Acquirer’s direction. V3.1 of the SAQ A does not include requirement 11.2.2 Only SAQ A-EP,…