Archive for August, 2011

Getting Started: Urgent Remediation

This is post is part of the Getting Started with PCI-DSS Compliance series.

The Zeroth Step: Urgent Remediation

Before we get into the meat of the series, let me emphasize the importance of taking a risk-prioritized approach from day one.  Compliance should not be your motivation.  Iron-clad protection of sensitive cardholder data should be your goal.  Compliance will follow naturally… eventually.  The subtext here is that while you develop your compliance strategy, high-risk activities should be identified and addressed immediately.

We recommend scheduling interviews with representatives from each line of business that owns a merchant account, as soon as possible.  (continue reading…)

PCI Compliance Through Visa Chip & PIN Technology

Visa recently announced a nationwide push to move merchants to chip-and-PIN technology, a move that will have dramatic impact on PCI DSS compliance efforts for card-present merchants. This technology, already widely deployed in Europe under the name EMV, uses contactless NFC chips in combination with a PIN to provide two-factor authentication for credit card purchases.
(continue reading…)

Getting Started With PCI DSS Compliance

For those who have been in the trenches for years, a series about how to begin to grapple with PCI compliance may come as a surprise.  After all, the compliance deadlines are all long past.  However, we recently sat down with an advisee who received marching orders to tackle PCI compliance for his employer, a merchant who only just learned of their compliance obligations.  If you find yourself swimming in similar straits, this series will provide some basic advice on where to begin and point you to important resources.  We invite our more experienced readers to provide additional resources in the comments!

It Begins…

So you’ve gotten a letter or a call or a visit from your merchant bank.  They’ve told you about this PCI Compliance thing-a-ma-bob, and now you’re preparing to explain it to the next level up.  What do you tell them?

Whatever it is, you need to be prepared to respond to the following questions: (continue reading…)

PCI DSS Compliance for Web Pages

In a recent question to the PCI DSS Guru, Gareth asked:

We have a secure web page that is server out from a secure PCI server. Can this be served out in a new browser window or embedded as a frame? Does the URL need to be displayed to prove it is secure (e.g. https://….)?

That’s a good question, Gareth. The PCI DSS standard doesn’t speak to whether your webpage must be “obviously secure” to your customers. If the server publishing the page is operating within the confines of the standard and you are following the encryption requirements of PCI DSS Section 4.1, you are probably in good shape as far as the regulation goes.

That said, you should also think about this from a marketing perspective.

(continue reading…)

VLANs and PCI DSS Compliance

David recently asked the PCI DSS Guru about the use of VLANs in a PCI DSS cardholder data environment. Here’s his question:

Are network switches in the Cardholder Data Environment in scope for PCI DSS? We are having trouble with this one. We have a vlan that run campus wide that transmits card data back to our servers. Are all the switches that carry this vlan in scope? If so how can we test changes to this network. We can’t afford another network infrustructure just for PCI. Any guidance you can provide would be great. Also, keep up the good work with your site. Its very helpful to newbs like me.

That’s a great question, David, and it’s the subject of a lot of debate within the PCI DSS community.

(continue reading…)

  • Free Newsletter

  • Search

  • Copyright © 1996-2010 PCI DSS Guru. All rights reserved.