The term REPORT FINDINGS HERE occurs 844 times in the version 3.2 ROC reporting template. 939 times in version 3.1 926 times in 3.0 Not once in v2.0 (it had a different format). Some can be filled with as little as two letters: NO Some require several paragraphs. Huh, I thought it was bigger…
I got tired of hunting these down regularly. Here are the official TLS and SSL reference links in one spot: SSL/Early TLS: Working with an ASV on Failed Scans http://blog.pcisecuritystandards.org/working-with-an-asv-on-failed-scans INFORMATION SUPPLEMENT Migrating from SSL and Early TLS Version 1.0 Date: April 2015 Author: PCI Security Standards Council – Includes: Preparing a Risk Mitigation and…
Have you read the PCI Security Standards Council blog post with a version 3.2 Q&A with Chief Technology Officer Troy Leach yet? Some of the highlights include: What’s in 3.2? evaluating additional multi-factor authentication for administrators within a Cardholder Data Environment (CDE); incorporating some of the Designated Entities Supplemental Validation (DESV) criteria for service providers;…
PCI DSS Version 3.0 is now retired (June 30 2015)! Version 3.1 has been effective since April 2015. And this date marks the beginning of the one year countdown for use of SSL and early TLS as a security control (June 30, 2016). New implementations must not use SSL or early TLS. For the next…
In the same vein of the SAQ A versus SAQ A-EP considerations, like is your web hoster a service provider for SAQ-A and “Does an SAQ-A merchant need ASV scans?”. If a website uses a hosted payment page redirect, is the web server in scope for PCI DSS v3.x? You will not find a direct…
PA-DSS has been updated to version 3.1. Read the council’s announcement here. This brings the PA-DSS in line with the PCI-DSS in terms of both version numbers and the update on “strong” encryption protocols. I.e: TLS 1.2 only please. And if you have read the council’s guidance on TLS migration that was published back in…
The Scenario: Low volume ecommerce only merchant. Website does a full redirect to a PCI compliant provider payment page so payment processing is fully outsourced. The payment provider page is actually the Merchant’s acquirer (not a middleman). All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service provider (the acquirer!). Merchant does…
UPDATED FOR V4! If a merchant is eligible to complete a SAQ-A to report on the results of their compliance assessment, are they required to engage an ASV (approved scanning vendor) to complete external vulnerability scans? YES! V4 clearly includes PCI DSS requirement 11.3.2! (Note the new V4 numbering) Self-Assessment Questionnaire A and Attestation of…
The Prioritized Approach is now updated for 3.1 We have a fresh “Prioritized Approach for PCI DSS Version 3.1” and “Prioritized Approach Tool Version 3.1” worksheet today. “Prioritized Approach for PCI DSS Version 3.1” is still a PDF doc that introduces the concept. And the “Prioritized Approach Tool Version 3.1” is still a (edit password…
… light at the end of SAQ A web server security tunnel… As of April 24th, there are new SAQs for PCI DSS V3.1. This includes a new document titled “SAQ Instructions and Guidelines v3.1” and a revision to the May 2014 document titled: “Understanding SAQs for PCI DSS v3“. A little more fuel for…
