Visa Europe have recently announced that retailers that are using chip and PIN at a store level only have to complete milestones 1 and 2 in order to validate their compliance. Furthermore, if the retailer extends compliance to cover milestones 3 and 4, they would be exempt from any penalties in the event of data […]

I’m still coming across a number of brick and mortar merchants whom have been advised by their QSA to put their store environments into scope of PCI DSS and spend millions of pounds implementing end-point security and network monitoring solutions. Exactly what benefit does this give? Not even high street banks go to this level

If you’re going through a PCI DSS assessment and hit point 12.8, you might think of a Service Provider with whom you share card data with to be a bank or payment processor. After all, any other company with whom you have a relationship surely couldn’t impose a risk to you customer’s card data? You

I was at Visa Europe’s QSA Briefing yesterday, and one question that cropped up was whether or not a Concierge style service would bring that Concierge into scope as a Service Provider. By Concierge, I mean an entity that keeps Consumer’s card numbers on file so it can book things like flights or hotels on

We’re all hearing a lot about end to end encryption as a security solution for the payments industry at the moment. The message that’s been pushed out is that merchants all need to change their PEDs and introduce more recent, encryption-capable models, so that as soon as card details hit the PED, the PED encrypts

According to Visa, there have now been a significant number of successful attacks against merchants whom use hosted payment pages. A hosted payment page is one that you can embed in your website, but directs all Customer transaction details to a third party – think Datacash, Cybersource et al. Hosted payment pages offer two distinct

I’m sure most of you would have already seen this, namely a document that summarises the upcoming changes to PCI DSS and what’s going to be in Version 2.0: https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf Official pre-release with Participating Organizations will happen early September, with release to Merchants, Service Providers and QSAs at the end of October. Yes, that’s right.

Visa CodeSure has hit the market. These are cards with built in alpha-numeric displays that allow one-time passcodes to be used in conjunction with a PIN to secure online transactions: The first challenge must be replacing the 1.4bn Visa cards already out there, the second being – will it really work and how long will

At long last, the standard finally looks like it will mandate that merchants / service providers conduct regular scans for accidental (leaked) and legacy stores of card data on networks. I have long advised this, but always got the kick back from merchants that ‘well, it’s not in the standard so we’re not going to