Category Archives: PCI Compliance

THE NEW YORK STATE DEPARTMENT of FINANCIAL SERVICES (DFS) CYBERSECURITY REGULATION 23 NYCRR 500 SECTION 11

by Viviana Wesley PCI QSA, ISO 27001 Auditor – Managing Consultant, Governance & Compliance Services

Cyber security is a moving target.  The technology and policies that kept users, devices and data safe at one time are eventually compromised at some point by the growing skills of cybercriminals and technology itself.  This is one of the reasons security standards such as PCI DSS (Payment Card Industry Data Security Standard) are moving targets as well.  Things never remain stationary in a world that is digitally transforming itself and security standards would not be relevant unless they dynamically changed along with the world. (more…)

By Viviana Wesley, PCI QSA, ISO 27001 Auditor

The process of securing cardholder data is a shared responsibility amongst multiple parties that play a role in the card transaction process. They include merchants, processors, acquirers, backup tape storage facilities, issuers and service providers just to name a few. All of these entities play a part in the far-reaching responsibility of protecting consumer data. The Payment Card Industry Data Security Standard or PCI DSS is the roadmap that they can turn to in order to prevent the compromising of primary account numbers (PAN) and other sensitive consumer credit card information. (more…)

What kind of security assessment do I need? It’s a question we at HALOCK Security Labs hear all the time. Every regulation and information security standard in existence tells us that we must undergo some kind of regular assessment. But the security field has not been consistent in advising what kinds of assessments fit which purpose best. (more…)

As part of its enduring interest in LifeLock, Inc., the Federal Trade Commission issued the following statement on December 17, 2015, “PCI DSS certification is insufficient in and of itself to establish the existence of reasonable security protections … the existence of a PCI DSS certification is an important consideration in, but by no means the end of, our analysis of reasonable security.” This statement might be alarming to the business and security communities, but it’s important to understand their statement in context, and for you to know what to do about it. (more…)

A Merchant’s Guide to PCI SSC Compliance By Morgan Rickel  PMP, QSA

If you are a merchant considering the implementation of a mobile payment acceptance solution, or if you are currently using one, the Payment Card Industry Security Standards Council (PCI SSC) has determined that one of the major risk factors in validating mobile payment acceptance applications with the Payment Application Data Security Standard (PA–DSS) is the environment that the application operates within and the ability of that environment to support the merchant in achieving PCI DSS compliance.  From a PCI perspective, the type of mobile communications device that is selected will have a direct impact on the PA-DSS validation. (more…)

Payment Card Industry Security Standards Council (PCI SSC)  by Viviana Wesley, PCI QSA, ISO 27001 Auditor

The Payment Card Industry Security Standards Council (PCI SSC) will be releasing version 3.2 of the Payment Card Industry Data Security Standard (PCI DSS) in the second quarter of 2016 and will become effective as soon as it’s published. PCI DSS version 3.1 will be retired three months later to allow organizations to complete PCI DSS v3.1 assessments already under way. (more…)

Author: Todd Becker, PCI QSA, ISO 27001 Auditor

‘Chip and PIN’, or EMV (“Europay, MasterCard, Visa”), is an open-standard set of specifications for smart card payments and acceptance devices and is a popular topic these days with HALOCK’s PCI clients. EMV is not a PCI requirement. However, there is a ‘liability shift’ in October 2015 that impacts brick and mortar merchants that accept credit cards (i.e. all of them).  With this in mind, it is important to understand that EMV and PCI are complementary in their relationship, rather than being interwoven. We will explain below.

(more…)

Author: Todd Becker, PCI QSA, ISO 27001 Auditor

If you are a Level 1 or Level 2 merchant, complying with the Payment Card Industry Data Security Standard (PCI DSS) continues to get more complicated.  The stakes have never been higher for large organizations that process payments.  With major data breaches constantly in the headlines like Target, Home Depot, JP Morgan Chase and countless others, organizations are relying more and more on QSA’s to help them navigate the Standard and get in compliance.  Additionally, with risk management taking a larger focus, organizations are looking for QSA’s that have the right credentials that aren’t simply taking an audit checklist approach to PCI, but using critical thinking skills to delve deeper into the organization to uncover hidden risks. (more…)

Author: Viviana Wesley, PCI QSA

The Payment Card Industry Data Security Standard (PCI DSS) version 3.1 was released today outlining a number of important changes. (more…)