PCI Compliance

What does it mean?

Payment Card Industry Data Security Standard PCI DSS   v3.2 out as of Apr2016

The new PCI DSS v3.2 is at:

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf?agreement=true&time=1468472230172

The v3.1 updates the ssl versions and a few other items, most of the sections have stayed the same.  v3.2 increases the frequency of pentesting (minimum of 2x per year)

In 2017 got CISA certified

   Which covers all company functions not just credit card compliance.

Here is our most popular post http://oversitesentry.com/90-cc-machines-have-default-password/  90% of Credit Card machines have been shown to have default password – this is a very dangerous thing.

 

here is the document stating the changes from 3.0 to 3.1:

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1_Summary_of_Changes.pdf

this is now mandatory(before it was “suggested”

pci11.3

Notice the small section near the bottom   PCInew2015

 

The http://blog.elementps.com/  is a PCI DSS Compliance Blog.  The July 10th post said about  the other interesting development next year:

“As you may be aware, October 2015 marks a significant date in the world of payments. In the next step to further incentivize EMV adoption in the U.S., major card brands will officially shift liability for fraudulent EMV card-present transactions to favor merchants using EMV-enabled devices.  To prepare for this shift, ISVs should prepare now to ensure their applications are EMV-ready. There are various methods to incorporate EMV into software applications, some simple and some greatly complex. ”

Here is a blog that discusses the EMV compliance deadline: http://www.paymentsleader.com/will-retailers-be-ready-for-emv-by-oct-2015/

EMV (Europay Mastercard and Visa)

 

Another Blog : http://www.qsrmagazine.com/exclusives/are-you-ready-emv

Makes it clear that there will be new machines as the US was the last holdout for the Pin and Chip standard:

“By October 2015, all restaurants and other merchants will be subjected to new Europay, Mastercard, and Visa (EMV) standards, which reflect a shift from magnetic-stripe credit cards to chip-and-pin cards.”

But the new EMV standards shouldn’t detract from a restaurant’s commitment to PCI compliance, says Bob Russo, general manager of the PCI Security Standards Council, a nonprofit that establishes standards for all organizations that store, process, or transmit credit card data. In fact, Russo says, EMV and PCI standards are best used together, as merchants do in many European countries that meet both standards.

 

So even though there are new EMV standards – there will still be PCI DSS3.0 compliance.

More acronyms in this area:

Integrated Software Vendor’s (ISVs)

Qualified Security Assessors (QSAs)

Payment Card Industry Security Standards Council (PCI SSC)

Self-Assessment Questionnaires (SAQs)   there are actually six different kinds of SAQ’s varying on how one processes transactions.   all six are listed on this blog:  http://blog.elementps.com/element_payment_solutions/2013/04/the-six-kinds-of-self-assessment-questionnaires.html

 

At Fixvirus.com we provide some of the requirements (Scanning and Vulnerability Assessments with regard to the Alpha and Sigma scan) in the penetration testing  phases of the PCI compliance area

New Blog Post about  PCI Compliance and standards http://oversitesentry.com/?p=1231

Updated 01/08/2015  added youtube video on PCI compliance  at tip of day segment – 3rd min. 4 different levels of compliance.

http://youtu.be/wpNX0XxCq9w 

Post from fixvirus.com 2/10/15:  PCi compliance is important to Legal Liabilities of your entity

http://www.fixvirus.com/pci-complianceaffectslegalliabilities

 

Updated 2/12/15 – SSL is no longer PCI compliant Post:

http://oversitesentry.com/ssl-security-is-no-longer-pci-compliant/

Of course we can help you achieve PCI  Compliance (by running the QSA approved scan) or performing more complicated pentest attacks

 

Updated 2/25/15 – Cloud system Providers and companies using cloud services must be PCI compliant – some of the problems associated:

http://oversitesentry.com/pci-compliance-also-on-cloud/

 

Updated 6/30/15

Make sure to change all your default passwords in your machines (including Credit Card terminals) like the VX820:

http://oversitesentry.com/90-cc-machines-have-default-password/

As it states in #2 of the newest PCI standard (v3.1)

pcicompliancerequirement2

 

Contact Us to help you design a security policy to defend against an audit.

Last edited 10/31/15