PAN Truncation and PCI DSS Compliance
Plenty has been written about the VISA tokenization best practices – but many have overlooked the truncation best practices. Ed and I covered truncation for SearchFinancialSecurity: In July, Visa Inc. got out ahead of the Payment Card Industry (PCI) Security Standards Council and issued its own best practices for tokenization and PAN truncation. While quite a lot of attention has been...
Read MoreDivide and ???
If you’re a PCI maven, you probably already know that today the PCI Security Standards Council (SSC) issued their summary changes to the current PCI-DSS and PA-DSS which will become v2.0 of both documents. Rob Westervelt interviewed me on the changes and pulled this quote for his article: My biggest fear is that we’re beginning to see a splintering of PCI with other documents being...
Read MorePCI 2.0, our highlights of the highlights
So, as Diana tweeted earlier, the PCI Standards Council just put out a summary of (proposed) changes to the PCI-DSS and PA-DSS: the long-awaited 2.0 revision. It’s an interesting read-through if you haven’t checked it out already. In the interest of understanding what it means for those of us in the trenches – merchants, QSA’s, processors, etc – here’s...
Read MoreThe difference between compliant and not is how hard you look
The other day, while researching the thing about the PED devices, I came across some chatter about folks making the statement that a PCI-compliant entity has not been successfully hacked. I recall hearing this particular line in QSA training many years ago (2005 maybe?) and apparently, folks are still saying it today. From the article I cited in the prior post re: the PED devices: Perhaps...
Read MoreSSC PED Suspension: Impacts liability protection?
I don’t know if you’ve been following Diana’s series of updates on this topic via Twitter or not, but as Diana mentioned in that forum, there’s been some recent activity regarding a few PED devices that have allegedly had their compliance status revoked – specifically the Ingenico i3070MP01 and the i3070EP01. It’s all very interesting. Short story: a recent...
Read MoreMusings on PCI by way of (IN)Secure’s June issue
Maybe you’ve already seen it, but I just got around to reading the June issue of (IN)Secure Magazine today. Yes, yes… it came out last week, I realize this – but since reading the PDF version sometimes hangs chrome (and they don’t have or I can’t find a non-PDF feed of the actual articles), I usually put off reading it until I have the spare cycles to wait...
Read MorePCI DSS Ambiguities and How to Overcome Them
In a video over at the SearchSecurity site, Ed talks about the: questions that pose the greatest challenge to enterprises as they struggle to interpret the requirements; outlines recent and upcoming clarifications from the PCI Security Standards Council; and discuss strategies used in the field to reduce the complexity. Does “one function per server” mean that we can’t use...
Read MoreRestaurateurs, SIs, and PCI
Dan Kaplan has a piece in SC Magazine on the lawsuit being filed against SI/resellers Radiant Systems and Computer World by some restaurants in Louisian and Mississippi. Dan interviewed me for the piece: Diana Kelley, founder of consultancy Security Curve, said she understands where the restaurants have a case, considering Visa alerted the two defendants in April 2007 that their systems were...
Read MorePCI Compliance Summit
BrightTalk is hosting a day-long PCI Compliance Summit on October 27th. Looks like they’ve put together a really solid agenda. Diana will be presenting “Software Security for Compliance, PCI, and Beyond” at 10a Eastern. Please listen in if you have time! PCI requirement 6 and sub-requirement 6.6 have caused confusion among retailers and merchants trying to understand how best...
Read MoreTokenization and PCI
Rob Westervelt interviewed Diana for a piece on Tokenization for PCI Compliance “It’s a great technology overall, but merchants have to make sure there’s no other instances of PAN data around to really get the full benefit,” Kelley said, adding that PAN data can slip into log files and volatile...
Read MoreFriday September 10, 2010
Diana Kelley's profile