Archive for the 'Compliance' Category

PCI DSS

Published at May 2, 2008 in Compliance and Security. Comment

Just attended a PCI-DSS workshop organized by VISA, wow, sure was worth it.  Have read the PCI-DSS docs a number of times but the whole classroom experience was very valuable.

Some important items worth noting:

  • The idea behind the PCI program is to “Render the credit card data unreadable”, they way you could accomplish is: encrypting, hashing, truncation.
  • PCI DSS - Is the standard itself
  • AIS - Is the enforcement program
  • Data that can never be stored, unless you are a credit card issuer:
    • Mag-stripe data
    • CVV2
    • PIN/PIN Block
  • As per the requirements, you must notify your acquirer of a possible breach within 24 hours
  • PCI DSS has about 230 requirements
  • PCI DSS is based on fundamental data security practices:
    1. Data controls
    2. Network controls
    3. System level controls
    4. Application controls (Code reviews, app testing)
    5. Policies
    6. Physical Controls
  • VISA is moving PABP from “best Practices” into a formal security starndard managed by the PCI SSC as the Payment Application Data Security Standard (PA-DSS)
  • PCI Security Standards Council, launched in September 2006, is a global forum for the ongoing development and enhancement of security standards for account data protections, including the PCI DSS
Technorati is experiencing unusually high load right now!!
Technorati

Doh! The Technorati Monster escaped again.

We're currently experiencing backend issues and are working to resolve them as quickly as possible. We apologize for the inconvenience and appreciate your patience.