The DSS, MageCart, and the DOM – Part 3 e-Commerce Skimming | Control Gap
Cyberattacks and data breaches have risen dramatically in recent years and no industry or organization is immune to these attacks. Merchants, governments, healthcare,...
Posts by:
David Gamey
The DSS, MageCart, and the DOM – Part 1: The PCI DSS e-Commerce Rules | blog,pci | Control Gap
It turns out that how you implement e-commerce can have a huge impact on your compliance footprint (i.e., the number of PCI security controls assessed depend on your...
The DSS, MageCart, and the DOM – Part 2 Browsers, the DOM, and 3rd Party JavaScript | blog,pci | Control Gap
In part two of our series, we take a deeper dive into how JavaScript works and its implications to web and e-commerce security and compliance. This demonstration will...
Why do some Issuers believe they don’t need to be PCI DSS compliant?
Documents from the PCI Council, MasterCard, and Visa clearly indicate that Issuers are required to be PCI DSS compliant (see Learn More below). Yet many people in the card issuing industry are either unaware or confused about this. None of these requirements are new and many have been in-place for more than a decade. What could be responsible for the confusion? And what does it all mean?
6 Ways to Deal with the Magnitude of PCI DSS
Are you new to PCI DSS? Perhaps you need to refresh your approach? If so, this article breaks down 6 strategies that will help you eat the proverbial elephant. PCI DSS...
How a $1200 Graphics Card Threatens Your PCI DSS Compliance and Security | blog,pci,cryptography | Control Gap
Organizations subject to PCI DSS compliance validation spend significant amounts of time, effort, and money to maintain and validate their compliance. So, the idea that a common graphics card can threaten compliance or lead to a compromise may at first seem ridiculous. This article will show you why it is not as ridiculous as it seems, and what you can do about it.
Another Way 8-Digit Bins Complicate PCI Compliance: It's Not Just Data-at-Rest | blog,pci | Control Gap
The adoption of 8-digit BINs in 2022 has already created many transitional challenges for organizations needing access to the full BIN numbers (see 8-Digit BINs are Just Around the Corner). For entities that must comply with PCI DSS and need access to the full BIN, there are well documented issues with masking, truncation, and DSS scope. Many organizations will focus on their data-at-rest. However, don't overlook the PCI implications of data-in-transit as well.
Update: In December 2021, the PCI DSS truncation rules were changed to mitigated many issues identified in this article, for more details please see https://controlgap.com/blog/8-Digit-BINs-Great-PCI-Truncation-Reset
Visa 8-Digit BINs are Just Around the Corner and Many Questions Remain
If your business processes or stores the full-BIN, you need to know if you will be impacted by Visa's Numerics Initiative (i.e., the 8-Digit BIN expansion mandate)....
PINs, Passwords, and PCI
PINs, Passwords, and PCI
What is the difference between Passwords and Passphrases, PINs, and other authentication factors under PCI DSS? Our team was recently asked for a second opinion on a scenario that seemed like a simple question. When we dug into it, we found some useful but scattered guidance in PCI DSS and its supporting documents . While ambiguity can support flexibility, it can also lead entities astray. PCI's flexibility can sometimes be akin to running with scissors. And this question is no exception.
CDRThief New VoIP Linux Malware – Can Credit Card Skimmers be Far Behind? | blog,pci | Control Gap
Many organizations have either undergone or are planning migrations or acceleration of call centers, remote working, and online presence exploiting technologies like VoIP. Criminals are increasingly taking an interest in these channels. An interesting discovery by ESET, Linux based malware targeting soft-switches produced by China based Linknat. Two models are affected the VOS2009 and VOS3000.