Visa recently announced a nationwide push to move merchants to chip-and-PIN technology, a move that will have dramatic impact on PCI DSS compliance efforts for card-present merchants. This technology, already widely deployed in Europe under the name EMV, uses contactless NFC chips in combination with a PIN to provide two-factor authentication for credit card purchases.
(continue reading…)

In a recent question to the PCI DSS Guru, Gareth asked:

We have a secure web page that is server out from a secure PCI server. Can this be served out in a new browser window or embedded as a frame? Does the URL need to be displayed to prove it is secure (e.g. https://….)?

That’s a good question, Gareth. The PCI DSS standard doesn’t speak to whether your webpage must be “obviously secure” to your customers. If the server publishing the page is operating within the confines of the standard and you are following the encryption requirements of PCI DSS Section 4.1, you are probably in good shape as far as the regulation goes.

That said, you should also think about this from a marketing perspective.

(continue reading…)

David recently asked the PCI DSS Guru about the use of VLANs in a PCI DSS cardholder data environment. Here’s his question:

Are network switches in the Cardholder Data Environment in scope for PCI DSS? We are having trouble with this one. We have a vlan that run campus wide that transmits card data back to our servers. Are all the switches that carry this vlan in scope? If so how can we test changes to this network. We can’t afford another network infrustructure just for PCI. Any guidance you can provide would be great. Also, keep up the good work with your site. Its very helpful to newbs like me.

That’s a great question, David, and it’s the subject of a lot of debate within the PCI DSS community.

(continue reading…)

PCI DSS Requirement 12.3.9 mandates that you allow the “Activation of remote-access technologies for vendors and business partners only when needed by vendors and business partners, with immediate deactivation after use”.  What does this mean in practice?

(continue reading…)

With the release of PCI DSS 2.0 comes a new requirement – verifying that you’ve correctly identified the scope of your cardholder data environment. The PCI DSS compliance community believes, as a general principle, that you should limit the scope of your cardholder data environment to the greatest extent possible. This not only reduces the amount of work you will need to do to comply with the PCI DSS standard, but also reduces the overall risk to your organization by limiting complexity.

Verifying Scope

When a Qualified Security Assessor (QSA) prepares a Report on Compliance (RoC) for your company, they first must identify the scope of their assessment. They’re required to document that they’ve verified your approach in four ways. PCI DSS 2.0 states that they must verify: (continue reading…)