Posts about:
Card Not Present Security Codes/Values are the 3 and 4 digit printed numbers on your payment cards used to verify card-not-present transactions. PCI DSS has been crystal clear for many years that payment Card Verification Codes/Values are Sensitive Authentication Data (SAD) and can't be stored after transaction authorization except by card Issuers. Specifically PCI says:
Cyberattacks and data breaches have risen dramatically in recent years and no industry or organization is immune to these attacks. Merchants, governments, healthcare,...
It turns out that how you implement e-commerce can have a huge impact on your compliance footprint (i.e., the number of PCI security controls assessed depend on your...
In part two of our series, we take a deeper dive into how JavaScript works and its implications to web and e-commerce security and compliance. This demonstration will...
Documents from the PCI Council, MasterCard, and Visa clearly indicate that Issuers are required to be PCI DSS compliant (see Learn More below). Yet many people in the card issuing industry are either unaware or confused about this. None of these requirements are new and many have been in-place for more than a decade. What could be responsible for the confusion? And what does it all mean?
Are you new to PCI DSS? Perhaps you need to refresh your approach? If so, this article breaks down 6 strategies that will help you eat the proverbial elephant. PCI DSS...
Organizations subject to PCI DSS compliance validation spend significant amounts of time, effort, and money to maintain and validate their compliance. So, the idea that a common graphics card can threaten compliance or lead to a compromise may at first seem ridiculous. This article will show you why it is not as ridiculous as it seems, and what you can do about it.
The adoption of 8-digit BINs in 2022 has already created many transitional challenges for organizations needing access to the full BIN numbers (see 8-Digit BINs are Just Around the Corner). For entities that must comply with PCI DSS and need access to the full BIN, there are well documented issues with masking, truncation, and DSS scope. Many organizations will focus on their data-at-rest. However, don't overlook the PCI implications of data-in-transit as well.
Update: In December 2021, the PCI DSS truncation rules were changed to mitigated many issues identified in this article, for more details please see https://controlgap.com/blog/8-Digit-BINs-Great-PCI-Truncation-Reset
If your business processes or stores the full-BIN, you need to know if you will be impacted by Visa's Numerics Initiative (i.e., the 8-Digit BIN expansion mandate)....
What is the difference between Passwords and Passphrases, PINs, and other authentication factors under PCI DSS? Our team was recently asked for a second opinion on a scenario that seemed like a simple question. When we dug into it, we found some useful but scattered guidance in PCI DSS and its supporting documents . While ambiguity can support flexibility, it can also lead entities astray. PCI's flexibility can sometimes be akin to running with scissors. And this question is no exception.