I’m sure most of you would have already seen this, namely a document that summarises the upcoming changes to PCI DSS and what’s going to be in Version 2.0: https://www.pcisecuritystandards.org/pdfs/summary_of_changes_highlights.pdf Official pre-release with Participating Organizations will happen early September, with release to Merchants, Service Providers and QSAs at the end of October. Yes, that’s right. […]
PCI DSS 2.0 has landed Read More »
Visa CodeSure has hit the market. These are cards with built in alpha-numeric displays that allow one-time passcodes to be used in conjunction with a PIN to secure online transactions: The first challenge must be replacing the 1.4bn Visa cards already out there, the second being – will it really work and how long will
Visa CodeSure has landed Read More »
I was setting up an online banking account with Sainsbury’s earlier, and was asked to complete a number of ‘secret questions’ to which ‘only I know the answer to’. One of the questions was ‘what’s the name of your favourite singer?’. Am I missing something, but isn’t this a pretty silly question to ask, bearing
Online Banking Security – a step too far?? Read More »
Even if you bought every product on sale at Infosec this year, your data still wouldn’t be secure, but it still amazes me to find vendors that say that their product alone will solve all your problems. Sigh.
At long last, the standard finally looks like it will mandate that merchants / service providers conduct regular scans for accidental (leaked) and legacy stores of card data on networks. I have long advised this, but always got the kick back from merchants that ‘well, it’s not in the standard so we’re not going to
Data Discovery likely to become mandated in PCI DSS v1.3 / 2.0 Read More »
…that’s the message I’ve been hearing from vendors whom are all leaping on the marketing bandwagon and trying to make a quick buck out of the Data Protection Act (DPA). Whilst a spot of scare-mongering encourages some healthy debate, this is verging on the ridiculous. If I see another mailshot with the words “£500,000. Can
£500,000 fine for everybody that makes a mistake and loses personal data!! Read More »
So it appears MasterCard took a quiet U-turn over the festive break and dropped the requirement for an onsite QSA audit for level 2 merchants for July 2010: http://www.mastercard.com/us/sdp/merchants/merchant_levels.html A more sensible date of 30 June 2011 is listed, along with the footnote that Merchants can use their own staff as long as they have
Onsite QSA Requirement for Level 2 Merchants – REVERSED!! Read More »
I get asked this a lot, but default MD5 and SHA-1 hashing algorithms should not be acceptable means to render cardnumbers unreadable in the eyes of a security professional, or QSA. Although the hashing algorithm itself is secure, any information that has been hashed using MD5 or SHA-1 is now easily retrievable through the use
PCI DSS 3.4 and Secure Hashing Read More »
