How to send feedback to the PCI Council on the recent assessment experienced with QSA Company?

As per PCI Council, QSAs and ASVs are contractually obligated to inform their clients of the online feedback tool upon commencement of services. I really don’t know how many QSA Companies are informing their clients to submit the feedback form to the PCI Council on the recent assessment they have undertaken.

Feedback is really important for PCI Council to evaluate and to take necessary actions on the QSA Company performance.

However, here are the links provided to submit the feedback form for various programs,

1. PCI DSS (QSA Feedback Form)
   https://www.pcisecuritystandards.org/approved_companies_providers/qsafeedback1.php
2. PA DSS (PA QSA Feedback Form)
   https://www.pcisecuritystandards.org/approved_companies_providers/pa-qsaclientfeedbackform.php
3. ASV Feedback form
   https://www.pcisecuritystandards.org/approved_companies_providers/asv-feedbackform.php
4. PCIP Feedback form
   https://www.pcisecuritystandards.org/approved_companies_providers/pcip-feedbackform.php
5. P2PE Feedback form
   https://www.pcisecuritystandards.org/approved_companies_providers/p2pe-feedbackform.php
6. QIR Feedback form
   https://www.pcisecuritystandards.org/approved_companies_providers/qir-feedbackform.php

What information to be sought from Service Providers to validate its PCI DSS Compliance?

Note: The post written here considering only the Level 1 Service Providers.

As a part of due-diligence or Request for Proposal / Information, clients should verify/validate its merchant / service provider on the PCI DSS Compliance before getting into business or as on going activity if already partnered with Service Providers. The following documents will provide you with reasonable level of assurance to ensure the service provider is compliant with the PCI DSS Standards.

You can also visit the VISA and Master Card Service Providers listing to verify their compliance status,

1. VISA Service Provider Listing: http://www.visa.com/splisting/searchGrsp.do
2. MasterCard Compliant Service Provider List: http://www.mastercard.com/us/company/en/whatwedo/compliant_providers.html

Which document to be obtained from Level 1 Service Provider / Merchants to verify its PCI DSS Compliance?

High Level Documents:

1. CoC “Certificate of Compliance” – certificate issued by PCI-QSA companies to service providers after validating Service Providers PCI compliance. It provides you the assurance that Service Provider has undergone PCI Assessment for the current year mentioned in the certificate and complied with PCI DSS Standard. In addition to the certificate, the payment processing web sites (Considering E-Commerce Sites) may also contains the digital seal issued by the QSA Companies which has the Start date and Expiry date of the PCI Compliance. Level 1 Merchants / Service providers are required to validate their PCI Compliance on Yearly basis by PCI QSA or by an ISA.

Continue reading →

Security Considerations in Software Procurement

BSA | The Software Alliance along with Data Security Council of India (DSCI), has released the latest study titled, “Security considerations in software procurement by government agencies in India”,

It takes a detailed look at the Indian government’s and its various agencies’ existing software procurement policies and outlines global best practices for software procurement.

Very Good document helps in developing the procurement process / creating RFP.  All credits goes to DSCI & BSA.

I have also decided to write my next post based on this guide , discussing about what information should be asked in RFP / RFI towards PCI DSS & PA DSS Compliance from the service providers.

Download Link: http://mcaf.ee/n51ou

Meet PCI DSS Requirements with FOSS

Hi Everyone,

Meet this new document which helps you to meet one or more PCI DSS Requirements with Free and Open Source Software. Your comments / feedback/views on this document are welcomed.

Download the document from URL: Meet PCI DSS Requirements with FOSS

Free & Commercial Card Scan Tools

Identifying and Securely deleting card holder data (PAN) that has exceeded its retention period, is one of the important activity in protecting card holder data. There are free & commercial version of tools available in the market which will assist you in identifying the PAN Stored in the different locations (Files, Databases).

PCI-DSS Requirement 3.1: A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.

List of Free Card Scan tools:

1. PAN Buster from XMCO – Command line utility which will help you to identify the PAN and Track Data. Less false positive when compared to CCSRCH utility.

Continue reading →

Cryptographic Keys and their Cryptoperiod (NIST Recommendations) 2012

Cryptoperiod:

The time span during which a specific cryptographic key can be used for its defined purpose based on, for example, a defined period of time and/or the amount of cipher-text that has been produced, and according to industry best practices and guidelines (for example, NIST Special Publication 800-57).

---

 

Well designed and easy to understand the Cryptoperiod of each cryptographic keys by using the small web based utility designed by BlueKrypt (www.bluekrypt.com) and hosted in their website (http://www.keylength.com). Below is the NIST 2012 recommendations extracted from the keylength.com. Continue reading →