What does it mean?
Payment Card Industry Data Security Standard PCI DSS 3.0 has been “fully” implemented this year 10/1/2015 (PCI DSS 3.1 came out on Apr2015) And now there is v3.2 out as of Apr2016
The new PCI DSS v3.2 is at:
The v3.1 updates the ssl versions and a few other items, most of the sections have stayed the same. v3.2 increases the frequency of pentesting (minimum of 2x per year)
I am going to have to redesign this page as there are yearly changes it looks like, so not feasible to constantly discuss only the updates… More changes coming soon (07/14/2016)
Here is our most popular post http://oversitesentry.com/90-cc-machines-have-default-password/ 90% of Credit Card machines ahve been shown to have default password – this is a very dangerous thing.
here is the document stating the changes from 3.0 to 3.1:
this is now mandatory(before it was “suggested”
The http://blog.elementps.com/ is a PCI DSS Compliance Blog. The July 10th post said about the other interesting development next year:
“As you may be aware, October 2015 marks a significant date in the world of payments. In the next step to further incentivize EMV adoption in the U.S., major card brands will officially shift liability for fraudulent EMV card-present transactions to favor merchants using EMV-enabled devices. To prepare for this shift, ISVs should prepare now to ensure their applications are EMV-ready. There are various methods to incorporate EMV into software applications, some simple and some greatly complex. ”
Here is a blog that discusses the EMV compliance deadline: http://www.paymentsleader.com/will-retailers-be-ready-for-emv-by-oct-2015/
EMV (Europay Mastercard and Visa)
Another Blog : http://www.qsrmagazine.com/exclusives/are-you-ready-emv
Makes it clear that there will be new machines as the US was the last holdout for the Pin and Chip standard:
“By October 2015, all restaurants and other merchants will be subjected to new Europay, Mastercard, and Visa (EMV) standards, which reflect a shift from magnetic-stripe credit cards to chip-and-pin cards.”
But the new EMV standards shouldn’t detract from a restaurant’s commitment to PCI compliance, says Bob Russo, general manager of the PCI Security Standards Council, a nonprofit that establishes standards for all organizations that store, process, or transmit credit card data. In fact, Russo says, EMV and PCI standards are best used together, as merchants do in many European countries that meet both standards.
So even though there are new EMV standards – there will still be PCI DSS3.0 compliance.
More acronyms in this area:
Integrated Software Vendor’s (ISVs)
Qualified Security Assessors (QSAs)
Payment Card Industry Security Standards Council (PCI SSC)
Self-Assessment Questionnaires (SAQs) there are actually six different kinds of SAQ’s varying on how one processes transactions. all six are listed on this blog: http://blog.elementps.com/element_payment_solutions/2013/04/the-six-kinds-of-self-assessment-questionnaires.html
New Blog Post about PCI Compliance and standards http://oversitesentry.com/?p=1231
Updated 01/08/2015 added youtube video on PCI compliance at tip of day segment – 3rd min. 4 different levels of compliance.
Post from fixvirus.com 2/10/15: PCi compliance is important to Legal Liabilities of your entity
Updated 2/12/15 – SSL is no longer PCI compliant Post:
Of course we can help you achieve PCI Compliance (by running the QSA approved scan) or performing more complicated pentest attacks
Updated 2/25/15 – Cloud system Providers and companies using cloud services must be PCI compliant – some of the problems associated:
Make sure to change all your default passwords in your machines (including Credit Card terminals) like the VX820:
As it states in #2 of the newest PCI standard (v3.1)
Contact Us to help you design a security policy to defend against an audit.
Last edited 10/31/15