Posts by:
If you're subject to PCI DSS you need to understand "The ENTITY". We aren't talking about a horror movie. Instead we are talking about something potentially far scarier - your networks, servers, workstations, applications, people, process, responsibilities, third parties, and your contractual relationships. In this article we hope to show you how to understand and tame "The ENTITY" in the context of PCI DSS.
NIST recently published a document "Transitioning the Use of Cryptographic Algorithms and Key Lengths" which formalizes the sunset of Triple DES by the end of 2023. Afterwards it will only be recommended for legacy use which means decryption only.
Last month NIST announced they were seeking feedback on a proposed updated guidance for FPE. More formally this is SP 800-38G rev 1 "Recommendation for Block Cipher...
Big changes are coming to payment security in 2019. PCI is launching a grand experiment in payment security - Software PIN on COTS (SPoC) - a subset of "PIN-on-glass". SPoC is intended to make payments using devices like phones and tablets both easy and secure. The approach is both interesting and a departure from previous payment security standards. SPoC has generated a lot market interest but will face challenges with complexity and potentially with acceptance. This article looks at what SPoC is, its new security model, and some of the challenges. We also present a timeline on the standard including known mandates.
The PCI Council which oversees 10 different standards and a dozen programs is in the process of updating and rolling out standards that will have a big impact on payment security. In addition to SPoC, 2019 will see a new software security standard & framework to replace PA-DSS, improvements to the 3DS standard to benefit card-not-present & mobile payments, a new Qualified PIN Assessor (QPA) program, and a Contact-less payments on COTS standard.
To accept credit cards in Canada, businesses need to be PCI compliant. Becoming PCI compliant can be difficult in the first place and keeping up with the changes even more so. In May 2018 the Payment Card Industry (PCI) Security Standards Council (formed to regulate security for the payment card industry) released an updated list of compliance requirements known as the PCI Data Security Standard (DSS) v3.2.1.
In case you missed it, Facebook has had some issues recently and its only getting uglier. Catch up on the news below:
Most organizations concerned with payment compliance are focused on the PCI Data Security Standard (DSS), but PCI is only part of the story. Every card brand and payment association has their own operating rules and regulations that also need to be followed. Many of these rules and regulations fly below the radar of most people and organizations. However, sometimes these rule changes have far reaching impacts.
We've been following security and breaches for a long time and they have been getting unquestionably worse. While mega-credit card breaches seem to have been falling off lately, other industries like healthcare, research analytics, and financial services have quickly taken their place. Last year was a record breaker for vulnerabilities and data breaches. We thought that Equifax was about as bad as it could get short of an all-out cyber-war. In light of recent events, that opinion now looks optimistic.
Executives and managers in organizations preparing for their first onsite PCI security assessment may feel confident that having passed a SOX audit will make passing a PCI audit relatively easy. And while it’s true that it can make passing PCI easier, there can often be significant and expensive gaps between complying with the two frameworks.
Many Canadians traveling to the US have experienced the frustration of running into a form of address verification. This is a common extra check often used by gas...