56 posts tagged with “pci”

Non-Compliance Lesson No. 3: Don't upgrade or patch your old stuff


PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and…

Read More >

Non-Compliance Lesson No. 2: Outsource your payments/security and don't read the fine print


PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and…

Read More >

Non-Compliance Lesson No. 1: Wait until your assessment to validate scope


PCI DSS can be hard and not preparing for it just makes things harder. Following this advice is guaranteed to make it both more exciting and…

Read More >

Quantum Cryptography for Risk Managers or Shor, Grover, and the Crypto-Apocalypse


According to some, quantum cryptography will revolutionize cryptography, kill our current ciphers, and reveal all our secrets. But if you're…

Read More >

Why Organizations Need to Become Crypto-Agile and What that Means


Cryptographic change is a reality. Since 2006, we have seen the sunset of WEP, SSLv2, RSA-1024, SSLv3 and early TLS. We know that Triple DES…

Read More >

Why did my PCI DSS Scope Explode?!


It can be extremely frustrating for a compliance team to realize that additional systems are in-scope. It means additional and unexpected…

Read More >

Don’t Tie Yourself in Knots Thinking you can Store Payment Card Verification Codes/Values


Card Not Present Security Codes/Values are the 3 and 4 digit printed numbers on your payment cards used to verify card-not-present…

Read More >

The DSS, MageCart, and the DOM – Part 3 e-Commerce Skimming


Cyberattacks and data breaches have risen dramatically in recent years and no industry or organization is immune to these attacks. Merchants…

Read More >

The DSS, MageCart, and the DOM – Part 2 Browsers, the DOM, and 3rd Party JavaScript


In part two of our series, we take a deeper dive into how JavaScript works and its implications to web and e-commerce security and…

Read More >

The DSS, MageCart, and the DOM – Part 1: The PCI DSS e-Commerce Rules


It turns out that how you implement e-commerce can have a huge impact on your compliance footprint (i.e., the number of PCI security…

Read More >

Why do some Issuers believe they don’t need to be PCI DSS compliant?


Documents from the PCI Council, MasterCard, and Visa clearly indicate that Issuers are required to be PCI DSS compliant (see Learn More…

Read More >

6 Ways to Deal with the Magnitude of PCI DSS


Are you new to PCI DSS? Perhaps you need to refresh your approach? If so, this article breaks down 6 strategies that will help you eat the…

Read More >

PCI DSS v4 is Coming – What Can You Rely On


PCI DSS v4.0 is coming and will bring big changes. The exact nature of the changes aren’t yet available as the standard is still evolving…

Read More >

How a $1200 Graphics Card Threatens Your PCI DSS Compliance and Security


Organizations subject to PCI DSS compliance validation spend significant amounts of time, effort, and money to maintain and validate their…

Read More >

Another Way 8-Digit Bins Complicate PCI Compliance: It's Not Just Data-at-Rest


The adoption of 8-digit BINs in 2022 has already created many transitional challenges for organizations needing access to the full BIN…

Read More >

Visa 8-Digit BINs are Just Around the Corner and Many Questions Remain


If your business processes or stores the full-BIN, you need to know if you will be impacted by Visa's Numerics Initiative (i.e., the 8-Digit…

Read More >

PINs, Passwords, and PCI


PINs, Passwords, and PCI What is the difference between Passwords and Passphrases, PINs, and other authentication factors under PCI DSS…

Read More >

CDRThief New VoIP Linux Malware – Can Credit Card Skimmers be Far Behind?


Many organizations have either undergone or are planning migrations or acceleration of call centers, remote working, and online presence…

Read More >

The ENTITY (a scary PCI monster)


If you're subject to PCI DSS you need to understand "The ENTITY". We aren't talking about a horror movie. Instead we are talking about…

Read More >

Control Gap at Vancouver PCI Community Meeting


Control Gap is excited to announce that we will be exhibiting at this year’s @PCISecurityStandardsCouncil Community Meeting on September 1…

Read More >

What's the minimum I need to do for PCI?


As we complete the 3rd hour of the meeting discussing PCI scope, the customer turns to me and asks, “So what’s the minimum that I need to do…

Read More >

NIST is Sunsetting Triple DES - so what will the Financial Industry do?


NIST recently published a document "Transitioning the Use of Cryptographic Algorithms and Key Lengths" which formalizes the sunset of Triple…

Read More >

NIST Update to Format Preserving Encryption Standard affects PCI Use Cases


Last month NIST announced they were seeking feedback on a proposed updated guidance for FPE. More formally this is SP 800-38G rev…

Read More >

PCI SPoC (PIN on COTS) - Grand Experiment in Mobile Payments


Big changes are coming to payment security in 2019. PCI is launching a grand experiment in payment security - Software PIN on COTS (SPoC…

Read More >

PCI DSS v3.2.1 - What You Need to Know to Stay PCI Compliant


To accept credit cards in Canada, businesses need to be PCI compliant. Becoming PCI compliant can be difficult in the first place and…

Read More >

PCI DSS May Require Pulling Up Your SOX (or ISO)


Executives and managers in organizations preparing for their first onsite PCI security assessment may feel confident that having passed a…

Read More >

17 Predictions About the Next Version of PCI DSS


PCI DSS v3.2 is due for an update this year - but what will that look like? In this article, we peer into our crystal ball to make some…

Read More >

Understanding "Connected-to" - Is The Internet In Scope For PCI DSS?


PCI DSS is all about scope. Getting scope right or wrong is perhaps the single most critical factor determining the ultimate success or…

Read More >

NIST Moves on Sweet32 - 3DES, Blowfish, and Others - Mostly Unsafe


Now is the time to stop using 64-bit block length ciphers such as 3DES (TDEA) and Blowfish in general purpose applications of cryptography…

Read More >

Understanding P2PE, NESA, E2EE, and PCI Compliance


Compliance simplification, what most people call “scope reduction”, can have huge benefits in terms of saving time, effort, headaches, and…

Read More >

PCI Compliance and the Intel AMT Vulnerability


On May 1st a critical new and possibly unprecedented vulnerability was announced.  The flaw in Intel's Active Management Technology (AMT…

Read More >

8-digit BIN Issues and Risks Remain after PCI Truncation Rules Clarified


Last month we wrote this article about issues arising from the addition of new BIN ranges and the lack of clear guidance specifically with…

Read More >

7 Things You Can Do To Deal With The Recent Format Preserving Encryption (FPE) Compromise


Barely a year after NIST approved Format-Preserving Encryption (FPE) based on AES they've issued a news release that one of the approved…

Read More >

3 Ways 8-Digit BIN Ranges May Impact PCI Compliance


New 8-digit Bank Identification Numbers (BIN) could complicate PCI truncation rules and create compliance headaches for those required to…

Read More >

What The CIA WikiLeaks Dump Has In Common With PCI Compliance


In recent news, WikiLeaks exposed a huge trove of CIA documents.  Journalists and bloggers will of course have a field day with this and the…

Read More >

SHA-1 Is Dead!


History The SHA-1 cryptographic hash function was introduced in 1995. Weaknesses began to be discovered in 2005, and in 2011 NIST deprecated…

Read More >

What Is The Difference Between Masking And Truncation In PCI Compliance?


Masking and truncation of cardholder data may seem the same on the surface (eg. 423456XXXXXX7890); however, each implies different…

Read More >

What Is Cardholder Data In PCI Compliance?


Cardholder data, aka CHD, comes from credit, debit, and prepaid cards bearing the logo of one of the PCI founding card brands.  CHD includes…

Read More >

Call Centers and PCI Compliance: Things You Need to Know


Call centers can be challenging places. They range from small and simple to large and complex. For many businesses they are a place where…

Read More >

4 FAQs The PCI Security Standards Council Renamed in 2016


Anyone who relies on the PCI FAQ site for guidance may have noticed some changes in the last few months. In fact if you bookmarked some of…

Read More >

PCI Announces NESA - A Stepping Stone To P2PE


Earlier this month the PCI Security Standards Council published a new document as part of the Point-to-Point Encryption (P2PE) program. This…

Read More >

PCI Compliance Footprints: 7 Ways To Simplify Compliance, Reduce Risk And Save Money


While you may have heard of carbon footprints and ecological footprints, you might not be aware that there is such thing as a PCI Compliance…

Read More >

3 Risks of Ignoring PCI Compliance


With more than 510 million records containing sensitive information breached since January 2005, statistics indicate that cardholder data…

Read More >

12 Tips To Avoid Credit Card Data Breaches


PCI DSS: 12 Requirements to Protect Your Customer’s Credit Card Data Traditionally, ill-intentioned criminals have targeted banking…

Read More >

PCI Compliance & Why You Need to be Compliant


Getting paid is just as important as PCI compliance. Businesses of all sizes rely on cash flow to effectively manage business operations. To…

Read More >

How Microsoft Support Expiry can Affect Your PCI Compliance


Microsoft support offerings are designed to provide guidance for system administrators and managers. However, details of the Microsoft…

Read More >

PCI Under The Microscope


The PCI Council has testified before Congress about standards and breaches in both 2014 and 2009 (links are to Google Searches). This year…

Read More >

PCI DSS v3.2 - What You Need to Know to Stay PCI Compliant


To accept credit cards in Canada, businesses need to be PCI compliant. Becoming PCI compliant can be difficult in the first place and…

Read More >

PCI DSS V3.2 Is Almost Here!


The PCI Security Standards Councils confirmed last week that the updated version of PCI DSS (v3.2) will be released at the end of April 201…

Read More >

Just like spring - a new version of PCI DSS will come early this year!


Last week the PCI Standards Council commented on the upcoming DSS 3.2 update and what it means for the rest of 2016. Ever since the sunset…

Read More >

Sunset of SSL Extended


If you’ve been struggling with keeping up with various SSL vulnerabilities and planning an orderly cutover to TLS then the recent…

Read More >

Must Format Preserving Encryption (FPE) be distinguishable from cardholder data for PCI?


Previously we looked at Format Preserving Encryption (FPE) its characteristics and suitability for application in solutions intended for PCI…

Read More >

PCI DSS Version 3.1 Has Arrived


The PCI Security Standards Council today published the expected update to PCI releasing these documents including some specific migration…

Read More >

PCI Security Standards Council set to kill off SSL in PCI DSS/PA-DSS 3.1 updates


The PCI council has released an announcement that they are preparing an updated version of the PCI DSS (v3.1) and PA-DSS (v3.1), where they…

Read More >

What is Format Preserving Encryption and is it suitable for PCI DSS?


Format Preserving Encryption or FPE is recent technology that is beginning to show up in payment solutions with the promise of simplifying…

Read More >

Analysis of PCI DSS 3.0


PCI DSS 3.0 was released Nov 2013. There are new and changed requirements with a more organized look. Check out our in-depth analysis and…

Read More >