What is a “payment page”? A simple question? Maybe not. I think a layperson would say that its the webpage where you input your payment details. A merchant completing an SAQ-A compliance assessment might disagree. Merchants load these pages with scripts to enable marketing analytics, conversion trackers and chatbots to increase conversion and help consumers complete…
Category: PCI DSS
4.0, PCI DSS
Can’t find the “Whats New in PCI V4.0” training?
by Ed • • 0 Comments
Can’t find the “Whats New in PCIV4.0” training? You are not alone. It is well hidden! Head over to the council’s portal at https://programs.pcissc.org Login! (bet you have to change your password again, lol!) Find RESOURCE CENTER in the big list in the middle Put DSS in the search box and press ENTER Collapse the…
4.0, PCI DSS, PCI SSC, QSA, Uncategorized, V4.0
Why cant I find PCI DSS v4 draft anywhere?
by Ed • • 0 Comments
So you are wondering why you can not find the latest PCI DSS v4 version to participate in the RFC? You meet the criteria as a PO, QSA or ASV, but the document is nowhere to be found in the other PCI portal. Its because access to the RFC is restricted to your organizations’ primary contact. …
Fun, PCI DSS, V3.2.1
The Mandela Effect and Inactive accounts
by Ed • • 0 Comments
What makes a user account “inactive”? I think most QSAs would say “any account not used with in 90 days”. I think these QSAs would also say that the PCI DSS (v3.2.1) actually defines an inactive account as one that has not been used within 90 days. But maybe this definition is from the Mandela…
Assessments, Card Brands, PCI DSS, PCI SSC
COVID and Compliance (April 27, 2020)
by Ed • • 0 Comments
Compliance assessment activities and regular compliance activities (i.e. penetration tests, employee training, etc) may be disrupted during COVID. Retail locations may be closed, staff may be unavailable. Obviously human safety trumps any PCI DSS compliance concerns. Merchants and QSAs do have questions about compliance in COVID times. We are still awaiting to hear from the acquirers…
PCI DSS, Vulnerability Management
Can switches get updates from the internet and remain PCI compliant?
by Ed • • 0 Comments
Assessed entity question: Can switches get updates from the internet, and remain PCI compliant? QSA’s Sarcastic Question: Where else do patches come from? 🙂 I presume you mean the device actively getting updated from the internet. QSA’s Real Questions: What kind of switches do this? What is the exact mechanism? What is the direction of…
4.0, PCI DSS, PCI Version, Security Testing, V3.2.1
Functionality testing to verify that the change does not adversely impact the security of the system
by Ed • • 0 Comments
What are Assessor’s thoughts on requirement 6.4.5.3? 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system. 6.4.5.3.a For each sampled change, verify that functionality testing is performed to verify that the change does not adversely impact the security of the system. Thorough testing should be performed to…
Community Meeting, PCI DSS, V4.0
eye on PCI v4
by Ed • • 0 Comments
August 25 2020: The council is still analyzing feedback from previous RFC (plan is to comment on all feedback). Council is preparing the next RFC while updating supporting documents (glossary, prioritized approach, SAQs, etc) and training. An extended transition period is planned. 3.2.1 to be retired 2 years AFTER the release of v4.0. Future…
Assessments, PCI DSS, Security Testing, Vulnerability Management
Vulnerability scans are not for req 6.1
by Ed • • 0 Comments
Requirement 6.1 is my favourite PCI DSS requirement! No fancy tools required. No specialized knowledge. It can be largely executed by a person on the helpdesk. And the impact to the overall security posture organization can be huge. More than that expensive network appliance. More than that fancy SIEM. More than that overpriced vulnerability…
PCI DSS, Scoping
PCI compliance and big P Politics
by Ed • • 0 Comments
What is behind MPI’s decision to stop the acceptance of preauthorized credit card payments? Politics? Lobbyists? Pressure from the broker association? Lucrative broker commission payments? Maybe according to the Winnipeg Free Press. Saving money? Apparently, but the savings are coming from the reduced scope of PCI DSS compliance by eliminating cardholder data storage (according to CBC reporting). …
