By now, one might expect that most people even remotely involved with credit card processing would have a passing familiarity with the Payment Card Industry Data Security Standard (PCI DSS).  Unfortunately, this is not the case.  Many merchants (primarily Level 4) remain unaware of the obligations introduced by the card brands’ security programs, each of which centers on the standard.

Even for those versed in PCI DSS, there are benefits to understanding its origins.  The roles and responsibilities that fall to various parties, as well as the appropriate use of the instruments involved in validating compliance, are intertwined with the origins of the standard.

Read the rest of this entry »

Posted in PCI DSS | 3 Comments »

PCI DSS requirement 4.1 requires the use of secure sockets layer (SSL) or other strong cryptography to protect cardholder data while in transit over public networks. Specifically, the standard requires that:

”Use strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks.”

In this article, we take a look at what this means for you as a PCI DSS professional.  We begin with an overview of how the Secure Sockets Layer (SSL) works, define an “open, public network” and then explore what you need to do to validate your PCI DSS compliance in this area.

Read the rest of this entry »

Posted in Encryption, PCI DSS | 3 Comments »