Should part 4 of an AOC be left blank? A slightly controversial topic among the PCI-pedantic such as myself. And nothing in the FAQ on the topic 🙁 A quick survey of AOCs by 9 different QSACs shows a split of 6 check YES and 3 leave it BLANK. A discussion among PCI professionals shows…
Assessments, QSA, Security Testing, Vulnerability Management
What is your favourite PCI DSS requirement?
by Ed • • 0 Comments

For me, 6.1 and its brethren 6.2. Knowing about vulnerabilities and doing something about them! As a QSA, I always knew of a big critical vulnerability in each platform I assessed. A biggie. The worse the better. I poured over samples seeking unpatched devices. Every demo session I would be jotting version numbers down continually…
4.0, PCI DSS, PCI SSC, QSA, Uncategorized, V4.0
Why cant I find PCI DSS v4 draft anywhere?
by Ed • • 0 Comments
Fun, PCI DSS, V3.2.1
The Mandela Effect and Inactive accounts
by Ed • • 0 Comments
ASV, Scoping, Vulnerability Management
What should be included in ASV scans?
by Ed • • 0 Comments
ASV Program Guide v3.1 (July 2018) 5.5 ASV Scan Scope Definition For the purpose of ASV scanning, the PCI DSS requires quarterly vulnerability scanning of all externally accessible (Internet-facing) system components owned or utilized by the scan customer that are part of the cardholder data environment (CDE), as well as any externally facing system component…
Uncategorized
Preparing for reopening
by Ed • • 0 Comments

Below is guidance from manufacturers and resellers on how to clean and sanitize your point of interaction (POI) devices. “Wet” covers that are more easily cleaned may seem like a great idea, but everyone else has the same idea and you will find the products backlogged at the moment. Poster for how to clean…
Card Brands, Service Providers
No colour coding on the Visa service provider list anymore?
by Ed • • 0 Comments

COVID-19 impact on your service provider listing at Visa Visa’s Global list of service providers (here) is a listing of PCI DSS Validated Service Providers and participants in Visa programs (such as Visa Third Party Agent (TPA) Program, etc) who are registered with Visa. The Registry is updated once a month. For service providers published…
Assessments, Card Brands, PCI DSS, PCI SSC
COVID and Compliance (April 27, 2020)
by Ed • • 0 Comments

Compliance assessment activities and regular compliance activities (i.e. penetration tests, employee training, etc) may be disrupted during COVID. Retail locations may be closed, staff may be unavailable. Obviously human safety trumps any PCI DSS compliance concerns. Merchants and QSAs do have questions about compliance in COVID times. We are still awaiting to hear from the acquirers…
ASV, Security Testing, Vulnerability Management
WAFs and ASV scans
by Ed • • 0 Comments

If by WAF you mean “an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic”, then we are on the same page! Ryan Barnett wrote about it in 2008 in his Tactical Web Application Security blog . Didier Godart…
Scoping, V3.2.1
Data Flow Diagrams
by Ed • • 0 Comments

The Report on Compliance suggests that Cardholder data-flow diagrams may also be included as a supplement to the description of how cardholder data is transmitted and/or processed. Regardless they are great way to communicate and document the CDE and PCI DSS scope. FAQ Article Number 1178 from February 2011 … An important prerequisite to reduce…