pci
58 posts tagged with “pci”
PCI DSS v4 is Coming – What Can You Rely On
04-Mar-2022PCI DSS v4.0 is coming and will bring big changes. The exact nature of the changes aren’t yet available as the standard is still evolving…
Read More >8-Digit BINs and the Great PCI Truncation Reset
20-Jan-2022Visa, MasterCard, Discover, JCB, and Union Pay hit ‘reset’ on the PCI DSS truncation rules in December 2021 and January 2022 providing an…
Read More >Addressing Log4Shell
16-Dec-2021The Log4Jshell vulnerability has sparked an Internet firestorm and may potentially be one of the most devastating bugs in years. But why…
Read More >Non-Compliance Lesson No. 3: Don't upgrade or patch your old stuff
07-Dec-2021PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and…
Read More >Non-Compliance Lesson No. 2: Outsource your payments/security and don't read the fine print
01-Nov-2021PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and…
Read More >Non-Compliance Lesson No. 1: Wait until your assessment to validate scope
07-Oct-2021PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and…
Read More >Quantum Cryptography for Risk Managers or Shor, Grover, and the Crypto-Apocalypse
23-Sep-2021According to some, quantum cryptography will revolutionize cryptography, kill our current ciphers, and reveal all our secrets. But if you're…
Read More >Why Organizations Need to Become Crypto-Agile and What that Means
16-Sep-2021Cryptographic change is a reality. Since 2006, we have seen the sunset of WEP, SSLv2, RSA-1024, SSLv3 and early TLS. We know that Triple DES…
Read More >Why did my PCI DSS Scope Explode?!
01-Sep-2021It can be extremely frustrating for a compliance team to realize that additional systems are in-scope. It means additional and unexpected…
Read More >Don’t Tie Yourself in Knots Thinking you can Store Payment Card Verification Codes/Values
26-Aug-2021Card Not Present Security Codes/Values are the 3 and 4 digit printed numbers on your payment cards used to verify card-not-present…
Read More >The DSS, MageCart, and the DOM – Part 3 e-Commerce Skimming
05-Aug-2021Cyberattacks and data breaches have risen dramatically in recent years and no industry or organization is immune to these attacks. Merchants…
Read More >The DSS, MageCart, and the DOM – Part 2 Browsers, the DOM, and 3rd Party JavaScript
05-Aug-2021In part two of our series, we take a deeper dive into how JavaScript works and its implications to web and e-commerce security and…
Read More >The DSS, MageCart, and the DOM – Part 1: The PCI DSS e-Commerce Rules
05-Aug-2021It turns out that how you implement e-commerce can have a huge impact on your compliance footprint (i.e., the number of PCI security…
Read More >Why do some Issuers believe they don’t need to be PCI DSS compliant?
19-Jul-2021Documents from the PCI Council, MasterCard, and Visa clearly indicate that Issuers are required to be PCI DSS compliant (see Learn More…
Read More >6 Ways to Deal with the Magnitude of PCI DSS
19-Jul-2021Are you new to PCI DSS? Perhaps you need to refresh your approach? If so, this article breaks down 6 strategies that will help you eat the…
Read More >How a $1200 Graphics Card Threatens Your PCI DSS Compliance and Security
20-May-2021Organizations subject to PCI DSS compliance validation spend significant amounts of time, effort, and money to maintain and validate their…
Read More >Another Way 8-Digit Bins Complicate PCI Compliance: It's Not Just Data-at-Rest
23-Apr-2021The adoption of 8-digit BINs in 2022 has already created many transitional challenges for organizations needing access to the full BIN…
Read More >Visa 8-Digit BINs are Just Around the Corner and Many Questions Remain
28-Feb-2021If your business processes or stores the full-BIN, you need to know if you will be impacted by Visa's Numerics Initiative (i.e., the 8-Digit…
Read More >PINs, Passwords, and PCI
18-Feb-2021PINs, Passwords, and PCI What is the difference between Passwords and Passphrases, PINs, and other authentication factors under PCI DSS…
Read More >CDRThief New VoIP Linux Malware – Can Credit Card Skimmers be Far Behind?
10-Sep-2020Many organizations have either undergone or are planning migrations or acceleration of call centers, remote working, and online presence…
Read More >The ENTITY (a scary PCI monster)
31-Oct-2019If you're subject to PCI DSS you need to understand "The ENTITY". We aren't talking about a horror movie. Instead we are talking about…
Read More >Control Gap at Vancouver PCI Community Meeting
03-Sep-2019Control Gap is excited to announce that we will be exhibiting at this year’s @PCISecurityStandardsCouncil Community Meeting on September 1…
Read More >What's the minimum I need to do for PCI?
18-Jul-2019As we complete the 3rd hour of the meeting discussing PCI scope, the customer turns to me and asks, “So what’s the minimum that I need to do…
Read More >NIST is Sunsetting Triple DES - so what will the Financial Industry do?
09-Apr-2019NIST recently published a document "Transitioning the Use of Cryptographic Algorithms and Key Lengths" which formalizes the sunset of Triple…
Read More >NIST Update to Format Preserving Encryption Standard affects PCI Use Cases
21-Mar-2019Last month NIST announced they were seeking feedback on a proposed updated guidance for FPE. More formally this is SP 800-38G rev…
Read More >PCI SPoC (PIN on COTS) - Grand Experiment in Mobile Payments
28-Jan-2019Big changes are coming to payment security in 2019. PCI is launching a grand experiment in payment security - Software PIN on COTS (SPoC…
Read More >PCI DSS v3.2.1 - What You Need to Know to Stay PCI Compliant
07-Nov-2018To accept credit cards in Canada, businesses need to be PCI compliant. Becoming PCI compliant can be difficult in the first place and…
Read More >PCI DSS May Require Pulling Up Your SOX (or ISO)
22-Feb-2018Executives and managers in organizations preparing for their first onsite PCI security assessment may feel confident that having passed a…
Read More >17 Predictions About the Next Version of PCI DSS
10-Jan-2018PCI DSS v3.2 is due for an update this year - but what will that look like? In this article, we peer into our crystal ball to make some…
Read More >Understanding "Connected-to" - Is The Internet In Scope For PCI DSS?
07-Dec-2017PCI DSS is all about scope. Getting scope right or wrong is perhaps the single most critical factor determining the ultimate success or…
Read More >NIST Moves on Sweet32 - 3DES, Blowfish, and Others - Mostly Unsafe
19-Jul-2017Now is the time to stop using 64-bit block length ciphers such as 3DES (TDEA) and Blowfish in general purpose applications of cryptography…
Read More >Understanding P2PE, NESA, E2EE, and PCI Compliance
27-Jun-2017Compliance simplification, what most people call “scope reduction”, can have huge benefits in terms of saving time, effort, headaches, and…
Read More >PCI Compliance and the Intel AMT Vulnerability
15-May-2017On May 1st a critical new and possibly unprecedented vulnerability was announced. The flaw in Intel's Active Management Technology (AMT…
Read More >8-digit BIN Issues and Risks Remain after PCI Truncation Rules Clarified
10-May-2017Last month we wrote this article about issues arising from the addition of new BIN ranges and the lack of clear guidance specifically with…
Read More >7 Things You Can Do To Deal With The Recent Format Preserving Encryption (FPE) Compromise
26-Apr-2017Barely a year after NIST approved Format-Preserving Encryption (FPE) based on AES they've issued a news release that one of the approved…
Read More >3 Ways 8-Digit BIN Ranges May Impact PCI Compliance
11-Apr-2017New 8-digit Bank Identification Numbers (BIN) could complicate PCI truncation rules and create compliance headaches for those required to…
Read More >What The CIA WikiLeaks Dump Has In Common With PCI Compliance
14-Mar-2017In recent news, WikiLeaks exposed a huge trove of CIA documents. Journalists and bloggers will of course have a field day with this and the…
Read More >SHA-1 Is Dead!
23-Feb-2017History The SHA-1 cryptographic hash function was introduced in 1995. Weaknesses began to be discovered in 2005, and in 2011 NIST deprecated…
Read More >What Is The Difference Between Masking And Truncation In PCI Compliance?
17-Jan-2017Masking and truncation of cardholder data may seem the same on the surface (eg. 423456XXXXXX7890); however, each implies different…
Read More >What Is Cardholder Data In PCI Compliance?
16-Jan-2017Cardholder data, aka CHD, comes from credit, debit, and prepaid cards bearing the logo of one of the PCI founding card brands. CHD includes…
Read More >Call Centers and PCI Compliance: Things You Need to Know
15-Dec-2016Call centers can be challenging places. They range from small and simple to large and complex. For many businesses they are a place where…
Read More >4 FAQs The PCI Security Standards Council Renamed in 2016
02-Dec-2016Anyone who relies on the PCI FAQ site for guidance may have noticed some changes in the last few months. In fact if you bookmarked some of…
Read More >PCI Announces NESA - A Stepping Stone To P2PE
29-Nov-2016Earlier this month the PCI Security Standards Council published a new document as part of the Point-to-Point Encryption (P2PE) program. This…
Read More >PCI Compliance Footprints: 7 Ways To Simplify Compliance, Reduce Risk And Save Money
22-Nov-2016While you may have heard of carbon footprints and ecological footprints, you might not be aware that there is such thing as a PCI Compliance…
Read More >3 Risks of Ignoring PCI Compliance
15-Nov-2016With more than 510 million records containing sensitive information breached since January 2005, statistics indicate that cardholder data…
Read More >12 Tips To Avoid Credit Card Data Breaches
01-Nov-2016PCI DSS: 12 Requirements to Protect Your Customer’s Credit Card Data Traditionally, ill-intentioned criminals have targeted banking…
Read More >PCI Compliance & Why You Need to be Compliant
27-Sep-2016Getting paid is just as important as PCI compliance. Businesses of all sizes rely on cash flow to effectively manage business operations. To…
Read More >How Microsoft Support Expiry can Affect Your PCI Compliance
26-Jul-2016Microsoft support offerings are designed to provide guidance for system administrators and managers. However, details of the Microsoft…
Read More >PCI Under The Microscope
28-Jun-2016The PCI Council has testified before Congress about standards and breaches in both 2014 and 2009 (links are to Google Searches). This year…
Read More >PCI DSS v3.2 - What You Need to Know to Stay PCI Compliant
08-Jun-2016To accept credit cards in Canada, businesses need to be PCI compliant. Becoming PCI compliant can be difficult in the first place and…
Read More >PCI DSS V3.2 Is Almost Here!
06-Apr-2016The PCI Security Standards Councils confirmed last week that the updated version of PCI DSS (v3.2) will be released at the end of April 201…
Read More >Just like spring - a new version of PCI DSS will come early this year!
26-Feb-2016Last week the PCI Standards Council commented on the upcoming DSS 3.2 update and what it means for the rest of 2016. Ever since the sunset…
Read More >Sunset of SSL Extended
22-Dec-2015If you’ve been struggling with keeping up with various SSL vulnerabilities and planning an orderly cutover to TLS then the recent…
Read More >Must Format Preserving Encryption (FPE) be distinguishable from cardholder data for PCI?
17-Apr-2015Previously we looked at Format Preserving Encryption (FPE) its characteristics and suitability for application in solutions intended for PCI…
Read More >PCI DSS Version 3.1 Has Arrived
15-Apr-2015The PCI Security Standards Council today published the expected update to PCI releasing these documents including some specific migration…
Read More >PCI Security Standards Council set to kill off SSL in PCI DSS/PA-DSS 3.1 updates
10-Mar-2015The PCI council has released an announcement that they are preparing an updated version of the PCI DSS (v3.1) and PA-DSS (v3.1), where they…
Read More >What is Format Preserving Encryption and is it suitable for PCI DSS?
23-Feb-2015Format Preserving Encryption or FPE is recent technology that is beginning to show up in payment solutions with the promise of simplifying…
Read More >Analysis of PCI DSS 3.0
01-Oct-2014PCI DSS 3.0 was released Nov 2013. There are new and changed requirements with a more organized look. Check out our in-depth analysis and…
Read More >