What is a “payment page”? A simple question? Maybe not. I think a layperson would say that its the webpage where you input your payment details. A merchant completing an SAQ-A compliance assessment might disagree. Merchants load these pages with scripts to enable marketing analytics, conversion trackers and chatbots to increase conversion and help consumers complete…
Author: Ed
4.0, PCI DSS
Can’t find the “Whats New in PCI V4.0” training?
by Ed • • 0 Comments
Can’t find the “Whats New in PCIV4.0” training? You are not alone. It is well hidden! Head over to the council’s portal at https://programs.pcissc.org Login! (bet you have to change your password again, lol!) Find RESOURCE CENTER in the big list in the middle Put DSS in the search box and press ENTER Collapse the…
Uncategorized
Part 4 of AOC – Action Plan for Non-Compliant Requirements
by Ed • • 0 Comments
Should part 4 of an AOC be left blank? A slightly controversial topic among the PCI-pedantic such as myself. And nothing in the FAQ on the topic 🙁 A quick survey of AOCs by 9 different QSACs shows a split of 6 check YES and 3 leave it BLANK. A discussion among PCI professionals shows…
Assessments, QSA, Security Testing, Vulnerability Management
What is your favourite PCI DSS requirement?
by Ed • • 0 Comments
For me, 6.1 and its brethren 6.2. Knowing about vulnerabilities and doing something about them! As a QSA, I always knew of a big critical vulnerability in each platform I assessed. A biggie. The worse the better. I poured over samples seeking unpatched devices. Every demo session I would be jotting version numbers down continually…
4.0, PCI DSS, PCI SSC, QSA, Uncategorized, V4.0
Why cant I find PCI DSS v4 draft anywhere?
by Ed • • 0 Comments
So you are wondering why you can not find the latest PCI DSS v4 version to participate in the RFC? You meet the criteria as a PO, QSA or ASV, but the document is nowhere to be found in the other PCI portal. Its because access to the RFC is restricted to your organizations’ primary contact. …
Fun, PCI DSS, V3.2.1
The Mandela Effect and Inactive accounts
by Ed • • 0 Comments
What makes a user account “inactive”? I think most QSAs would say “any account not used with in 90 days”. I think these QSAs would also say that the PCI DSS (v3.2.1) actually defines an inactive account as one that has not been used within 90 days. But maybe this definition is from the Mandela…
ASV, Scoping, Vulnerability Management
What should be included in ASV scans?
by Ed • • 0 Comments
ASV Program Guide v3.1 (July 2018) 5.5 ASV Scan Scope Definition For the purpose of ASV scanning, the PCI DSS requires quarterly vulnerability scanning of all externally accessible (Internet-facing) system components owned or utilized by the scan customer that are part of the cardholder data environment (CDE), as well as any externally facing system component…
Uncategorized
Preparing for reopening
by Ed • • 0 Comments
Below is guidance from manufacturers and resellers on how to clean and sanitize your point of interaction (POI) devices. “Wet” covers that are more easily cleaned may seem like a great idea, but everyone else has the same idea and you will find the products backlogged at the moment. Poster for how to clean…
Card Brands, Service Providers
No colour coding on the Visa service provider list anymore?
by Ed • • 0 Comments
COVID-19 impact on your service provider listing at Visa Visa’s Global list of service providers (here) is a listing of PCI DSS Validated Service Providers and participants in Visa programs (such as Visa Third Party Agent (TPA) Program, etc) who are registered with Visa. The Registry is updated once a month. For service providers published…
Assessments, Card Brands, PCI DSS, PCI SSC
COVID and Compliance (April 27, 2020)
by Ed • • 0 Comments
Compliance assessment activities and regular compliance activities (i.e. penetration tests, employee training, etc) may be disrupted during COVID. Retail locations may be closed, staff may be unavailable. Obviously human safety trumps any PCI DSS compliance concerns. Merchants and QSAs do have questions about compliance in COVID times. We are still awaiting to hear from the acquirers…
