Posted on 15 January 2010. Tags: Add new tag, Brand, Business, Card Processing, Financial services, Merchant Services, Payment Card Industry Data Security Standard, pci dss
An interesting post from blog.elementps.com on the difficulties of franschise models and their impact on the paths of responsibility for PCI DSS compliance.
From a branding standpoint, franchisors have a lot to lose if one of their franchisees falls victim to a breach. Depending on the level of media attention the breach garners, one for a store in downtown Philadelphia has the potential to negatively affect the brand – and, arguably, sales— across the state, regionally or even nationally.
The interesting thing with franchising and PCI DSS is that while franchisees may have individual merchant accounts with the bank (and therefore be responsible for their own reporting) the impact of a breach on the franchisers compliance may come up for question if a breach was to occur, as well as the inevitable brand reputation loss…
I’d be interested to here any feedback from the field on the topic.
Posted in Uncategorized
Posted on 13 November 2009. Tags: Add new tag, Cryptography, Encryption, end to end encryption, File Encryption, pci dss, Security, visa
Here’s an excerpt of the release from Visa…
The marketplace has expressed a growing interest in pursuing data field encryption (also known as end-to-end encryption) of card data. Data field encryption protects card information from the swipe to the acquirer processor with no need for the merchant to process or transmit card data in the “clear.” Importantly, data field encryption renders cardholder data useless to criminals in the event of a merchant data breach.
The full clarification can be downloaded here, and a “softer” version with sum executive summary style information here.
Kudos to Visa for seeking to clear this issue up a bit.
Posted in Encryption
Posted on 30 October 2009. Tags: Add new tag, Payment Card Industry Data Security Standard, pci dss, Penetration test, penetration testing, pentest, pentesting, Security, Security Scanners, va, vulnerability assessment
Found a very neat and succinct way of defining the difference between VA and Pentesting.
During a vulnerability assessment an environment is assessed to determine if known vulnerabilities can be identified. Penetration testing goes a step further by attempting to exploit these identified vulnerabilities.
The difference between the two, in terms of identifying a need within an organization, is that vulnerability assessment can be achieved using automated tools, whereas penetration testing generally can not.
Why this is important is that vulnerability assessment and penetration testing are addressed as separate requirements of the PCI DSS… Doing a VA will not address the pentesting requirement, and vice versa.
Posted in Definitions
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=6666f423-f3dd-45f0-b94f-dfec09410959)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=62b3efb2-e55d-4d19-b311-a234546f591c)
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=a2516fac-8e5f-4044-8b60-a3a6d737cca6)
