http://forum.paymentsecuritypros.com Forum where industry experts discuss and answer questions about the PCI DSS, PA-DSS/PABP, and PIN compliance requirements. en Fri, 10 Sep 2010 12:21:53 GMT vBulletin 60 http://forum.aegenis.com/images/misc/rss.jpg http://forum.paymentsecuritypros.com http://forum.paymentsecuritypros.com/showthread.php?t=1968&goto=newpost Wed, 08 Sep 2010 16:06:54 GMT Requirement 9.5 states "Review the [back-up] location's security at least annually."

Does this review require an on-site visit, or would a review of the storage facility's current SAS70 report (for example) be sufficient? ]]> downeypci http://forum.paymentsecuritypros.com/showthread.php?t=1968 http://forum.paymentsecuritypros.com/showthread.php?t=1967&goto=newpost Tue, 07 Sep 2010 10:47:43 GMT Here's the scenario:

Call centre environment, ops have to input card data onto a remote application, web based or otherwise ... take as read the comms channel is encrypted etc.

The back end application generates session indpendent random mappings of the digits 0-9 to any other keyboard or printable characters and presents these to the op (virtual keypad or direct key mapping guide). Now, when the op enters the digits the input terminal is actually processing and transmitting random data rather than card data, the actual translation back from the random mapping takes place on the server side within a cardholder data environment.

As the call centre ops workstation and intermediate networking components never actually process cardholder data are they all now out of scope?

Thoughts, opinions & suggestions all most welcome. ]]> AllanPoll http://forum.paymentsecuritypros.com/showthread.php?t=1967 http://forum.paymentsecuritypros.com/showthread.php?t=1966&goto=newpost Mon, 06 Sep 2010 18:18:00 GMT I haven't yet found a great forum to ask credit card processing questions on so I thought I'd try here. I use PayPal as a merchant account on one of my websites. Once a month, I use their Withdraw feature to move money into my Bank of America bank account.

How long should the funds be absent for?

The fastest that they've ever made the transfer is three days, sometimes it takes as long as week.

Isn't this ridiculous? Shouldn't the transfer, being totally digital, take hours or less?

What's industry standard practice on this? ]]> creditcardsonline101.com http://forum.paymentsecuritypros.com/showthread.php?t=1966 http://forum.paymentsecuritypros.com/showthread.php?t=1965&goto=newpost Thu, 26 Aug 2010 14:28:54 GMT Hi Has anyone worked with Lotus Notes in relation to PCI Compliance? I understand Notes to be a database driven application but it can also... Hi

Has anyone worked with Lotus Notes in relation to PCI Compliance?

I understand Notes to be a database driven application but it can also have a web interface (for webmail, or web sites). But I understand that the web part of it is still inextricably linked to the db part of the system.

Can you segregate the roles in Lotus Notes whereby the web part of it is separate from the database?

If not, can it be deemed to be PCI Compliant with reference to the "Implement only one primary function per server" requirement? ]]> ThomasJackson http://forum.paymentsecuritypros.com/showthread.php?t=1965 http://forum.paymentsecuritypros.com/showthread.php?t=1964&goto=newpost Tue, 24 Aug 2010 07:58:31 GMT A colleague, a lapsed QSA who had to re-train due to gaps in the re-certification schedules, attended the new QSA training. On his return, my... A colleague, a lapsed QSA who had to re-train due to gaps in the re-certification schedules, attended the new QSA training.

On his return, my colleague made the following comment:
"An interesting point was made at the QSA training last week that when services are outsourced to a third party, they can be removed from scope and not reported."

A second colleague who attended training for the first time confirmed this was stated.

This is at odds with the recertification training and materials. In part, these state:
"To clarify, can you fail your customer if they're using a non-compliant service provider? Only if they are included in the on-site assessment and their controls related to your client fail the test procedures. If they are not included in the on-site assessment, then your client should inform them of their compliance status and encourage them to become compliant as soon as possible."

I'm thoroughly confused, since as a QA my company can be placed into remediation if we fail to answer questions fully, yet some QSAs appear to be told to ignore a number of the test procedures if the relevant process or control is outsourced.

I'd raise this with the SSC, but our liaison point is on leave for 5 weeks, and we are still waiting responses to questions posed to the SSC months ago.

My view is just include the service providers in the scope of the assessment, but the SSC appears to be saying something else. I'm loathe to say "Q is compliant, be cause they said there services providers all provide compliant services" - I generally find SPs (not always) are not providing compliant services until tasked with this and actively assessed.

Other comments?

lyalc ]]> lyalc http://forum.paymentsecuritypros.com/showthread.php?t=1964 http://forum.paymentsecuritypros.com/showthread.php?t=1963&goto=newpost Sun, 22 Aug 2010 12:36:03 GMT In “Security Scanning Procedures ver. 1.1” there is a statement: The PCI requires all Internet-facing IP addresses to be scanned for... In “Security Scanning Procedures ver. 1.1” there is a statement:
The PCI requires all Internet-facing IP addresses to be scanned for vulnerabilities. If active IP addresses are found that were not originally provided by the customer, the ASV must consult with the customer to determine if these IP addresses should be in scope.

In Executive Summary in “Requirements and Security Assessment Procedures ver. 1.2.1” there are two points:

Quarterly Scan Results
- Summarize the four most recent quarterly scan results in the Executive Summary as well as in comments at Requirement 11.2
- Scan must cover all externally accessible (Internet-facing) IP addresses in existence at the entity, in accordance with the PCI DSS Security Scanning Procedures”

Does it mean that QSA shall check if all Internet-facing devices with IP addresses are covered in external scan report?
What is a role for QSA? Can QSA question AVS competency? ]]> rk3745 http://forum.paymentsecuritypros.com/showthread.php?t=1963 http://forum.paymentsecuritypros.com/showthread.php?t=1962&goto=newpost Thu, 19 Aug 2010 10:22:25 GMT Hi, We are considering implementing a Web App Firewall (WAF) to help us meet Req 6.6 and realize it may also help meet Req 1.3. Req 1.3 states... Hi,

We are considering implementing a Web App Firewall (WAF) to help us meet Req 6.6 and realize it may also help meet Req 1.3.

Req 1.3 states "Prohibit direct public access between the Internet and any system component in the cardholder data environment.".

The WAF we propose to use can be run in proxy mode whereby the clients connections to our web server will first be terminated on the WAF.

For certain reasons, we propose to have our web server on the backend network along with our database server. We propose to have only the WAF in the DMZ. While this may be unconventional, I cant see anywhere in the std where it specifies that you must have a web server in the DMZ.

For example Req 1.3.1 just states: Implement a DMZ to limit inbound and outbound traffic to only protocols that are necessary for the cardholder data
environment.

Cardholder data would flow from the internet into the DMZ (Client browser --> WAF) and then from WAF into our internal network (WAF --> Web server; Web Server --> Database Server)

To the QSA's in this forum, would you find our proposed implementation to be compliant with just a WAF in DMZ and with all the servers in the backend network. ]]> ThomasJackson http://forum.paymentsecuritypros.com/showthread.php?t=1962 http://forum.paymentsecuritypros.com/showthread.php?t=1961&goto=newpost Tue, 17 Aug 2010 16:50:28 GMT What are the responsibilities and/ or requirements of a merchant regarding the management of lost customer credit cards? Some common sense basics... What are the responsibilities and/ or requirements of a merchant regarding the management of lost customer credit cards?

Some common sense basics are obvious, staff report card to management, securely store it (while you have it, might be 1 or 2-3 days, whatever the period), securely destroy it (cross shred, etc).

But what if any are the official rules laid out by either the card brands and/ or most bank/merchant agreements? ]]> jrusch http://forum.paymentsecuritypros.com/showthread.php?t=1961 http://forum.paymentsecuritypros.com/showthread.php?t=1960&goto=newpost Mon, 16 Aug 2010 08:43:34 GMT Hello guys, maybe you should help me with one question regarding the PIN and cardholder data encryption in ATM by means of keys located in EPP... Hello guys,

maybe you should help me with one question regarding the PIN and cardholder data encryption in ATM by means of keys located in EPP (pinpad) ... Does anybody know, if the the encryption is performed directly in EPP of these devices (means - in tamper resistant area)???. Or the data is (at first) transfered to ATM´s harddrive and than the encryption keys are applicated any secure way?

The major thing I need to know, if the data is encrypted immediatelly in EPP and only the cryptogram leaves the EPP...I suppose it, because the PCI standards says that the storing of PIN or PIN block anywhere is forbidden ... but we know, that the ATMs is not fully covered by PCI standards yet (means its software). In most of cases, ATM also collects „so-called“ Journals in ATM´s harddrive which contain of PAN ... so maybe there should be possibility, that also the sensitive authentification data is also encrypted on harddrive, not directly in EPP. I tried to find more information in PCI-PTS (EPP) unfortunatelly there is not any mention.

btw: If you have any good document which should describe mentioned proces than I really appreciate it.:)

Thanks a lot,
Martin ]]> Levis http://forum.paymentsecuritypros.com/showthread.php?t=1960 http://forum.paymentsecuritypros.com/showthread.php?t=1959&goto=newpost Mon, 16 Aug 2010 02:04:04 GMT Well, looks like pretty soon, PCI-DSS will mandate minimum of 100 characters at this rate... http://www.bbc.co.uk/news/technology-10963967 Well, looks like pretty soon, PCI-DSS will mandate minimum of 100 characters at this rate...

http://www.bbc.co.uk/news/technology-10963967 ]]> rx.jeff http://forum.paymentsecuritypros.com/showthread.php?t=1959 http://forum.paymentsecuritypros.com/showthread.php?t=1958&goto=newpost Fri, 13 Aug 2010 13:52:12 GMT Hi Everyone,

On the Self Assessment Questionnaire A, under section 2c, it states that you can use this SAQ if you meet the following: "Merchant does not store any cardholder data in electronic format"

Well, my client, who i'm helping, is self assessing and he meets all of the requirements under section 2c, except for the above statement. But, he reasons that he is compliant because they only store the last four digits and the last four digits are not really a true definition for cardholder data, because from a security perspective, what good are the four digits to anyone. Should I agree with him and let him use the SAQ-A? Little stumped here. ]]> utknuclear http://forum.paymentsecuritypros.com/showthread.php?t=1958 http://forum.paymentsecuritypros.com/showthread.php?t=1957&goto=newpost Fri, 13 Aug 2010 13:50:15 GMT To all interested parties, For those who have been asking for more information about the upcomming release of Card Recon Enterprise Edition,... To all interested parties,

For those who have been asking for more information about the upcomming release of Card Recon Enterprise Edition, please be advised we have published new information available here:

http://www.groundlabs.com/products/cree

For those who are unfamiliar, Card Recon Enterprise Edition is a network based tool for finding cardholder data. It's primary purpose is to assist with PCI Compliance by providing visibility and ongoing monitoring of an organisations non-compliant payment card storage practices. It includes native support for Windows, Linux, AIX, Solaris and HPUX with no dependencies such as java or .net. It uses pre-configured payment card scanning algorithms to accurately find payment card data and eliminate the majority of false positives normally found by other tools.

The existing version of Card Recon (standard edition and consultant edition for QSAs) will still remain a popular choice for simple host by host scanning. Further information can be found here:

http://www.groundlabs.com/products/crse

We wish to thank all customers and the large group of QSAs and QIRA's out there who have continued to support Card Recon. It has become the most popular tool for payment card data scanning and we will ensure it continues to be improved based on your feedback and functionality requests.

Regards,

The Ground Labs Team
enquiries@groundlabs.com
http://www.groundlabs.com/ ]]> Vendor Arena GroundLabs http://forum.paymentsecuritypros.com/showthread.php?t=1957 http://forum.paymentsecuritypros.com/showthread.php?t=1956&goto=newpost Thu, 12 Aug 2010 20:54:17 GMT Hi, Does anybody have suggestions on any open source tools for File Integrity Monitoring | Management along with what tools can be used for audit... Hi,

Does anybody have suggestions on any open source tools for File Integrity Monitoring | Management along with what tools can be used for audit trails | event logging for 10.2.1 to 10.3.6?

Greatly Appreciated. ]]> utknuclear http://forum.paymentsecuritypros.com/showthread.php?t=1956 http://forum.paymentsecuritypros.com/showthread.php?t=1955&goto=newpost Thu, 12 Aug 2010 17:45:38 GMT The PCI SSC released a summary of changes document for the new PA-DSS. https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf The PCI SSC released a summary of changes document for the new PA-DSS.

https://www.pcisecuritystandards.org...highlights.pdf ]]> PA-DSS (PABP) jbhall56 http://forum.paymentsecuritypros.com/showthread.php?t=1955 http://forum.paymentsecuritypros.com/showthread.php?t=1954&goto=newpost Thu, 12 Aug 2010 14:49:33 GMT PCI SSC released the summary of changes for PCI 2.0 released in late October. Document can be downloaded at... PCI SSC released the summary of changes for PCI 2.0 released in late October.

Document can be downloaded at
https://www.pcisecuritystandards.org...highlights.pdf ]]> return http://forum.paymentsecuritypros.com/showthread.php?t=1954