ASV Program Guide v3.1 (July 2018) 5.5 ASV Scan Scope Definition For the purpose of ASV scanning, the PCI DSS requires quarterly vulnerability scanning of all externally accessible (Internet-facing) system components owned or utilized by the scan customer that are part of the cardholder data environment (CDE), as well as any externally facing system component…
Category: Scoping
Scoping, V3.2.1
Data Flow Diagrams
by Ed • • 0 Comments

The Report on Compliance suggests that Cardholder data-flow diagrams may also be included as a supplement to the description of how cardholder data is transmitted and/or processed. Regardless they are great way to communicate and document the CDE and PCI DSS scope. FAQ Article Number 1178 from February 2011 … An important prerequisite to reduce…
ecommerce, Mobile, Scoping
If a merchant develops an application that runs on a consumer’s device…..
by Ed • • 0 Comments

But someone told me that mobile apps on consumer devices are out of scope….. FAQ 1283 from June 2014 If a merchant develops an application that runs on a consumer’s device (e.g. smartphone, tablet, or laptop) that is used to accept payment card data, what are the merchant’s obligations regarding PCI DSS and PA-DSS for…
PCI DSS, Scoping
PCI compliance and big P Politics
by Ed • • 0 Comments

What is behind MPI’s decision to stop the acceptance of preauthorized credit card payments? Politics? Lobbyists? Pressure from the broker association? Lucrative broker commission payments? Maybe according to the Winnipeg Free Press. Saving money? Apparently, but the savings are coming from the reduced scope of PCI DSS compliance by eliminating cardholder data storage (according to CBC reporting). …
Assessments, SAQ A, Scoping, Vulnerability Management
Redirect But dont forget. And Patch.
by Ed • • 0 Comments
SAQ A for PCI DSS v3.2.1 includes requirement 6.2. So don’t forget that redirecting webserver! So, patch that webserver. How do you verify that patching is happening? Review policies and procedures. Examine system components. Compare list of security patches installed to recent vendor patch lists. Ad below this line:
PCI DSS, Scoping
Does using telnet for admin always require at least a compensating control?
by Ed • • 0 Comments

The PCI Guru has an article about an issue with PCI DSS requirement 2.3.b https://pciguru.wordpress.com/2017/06/09/we-need-a-change-to-2-3-b/ Reminder of what 2.3.b is about: 2.3.b Review services and parameter files on systems to determine that Telnet and other insecure remote-login commands are not available for non-console access. And the guidance for 2.3 is: If non-console (including remote) administration…
Assessments, PCI DSS, Scoping
the Council Plans to Publish Scoping Guidance!
by Ed • • 0 Comments

The latest news update for QSA’s includes news of an upcoming holiday gift for those in the PCI DSS world! The Security Standards Council plans to publish “Guidance for PCI DSS Scoping and Network Segmentation.” in December 2016. The Council informs that the guidance “aims to clarify scoping and segmentation principles provided in the PCI DSS”.…