How to send feedback to the PCI Council on the recent assessment experienced with QSA Company?

As per PCI Council, QSAs and ASVs are contractually obligated to inform their clients of the online feedback tool upon commencement of services. I really don’t know how many QSA Companies are informing their clients to submit the feedback form to the PCI Council on the recent assessment they have undertaken.

Feedback is really important for PCI Council to evaluate and to take necessary actions on the QSA Company performance.

However, here are the links provided to submit the feedback form for various programs,

1. PCI DSS (QSA Feedback Form)
   https://www.pcisecuritystandards.org/approved_companies_providers/qsafeedback1.php
2. PA DSS (PA QSA Feedback Form)
   https://www.pcisecuritystandards.org/approved_companies_providers/pa-qsaclientfeedbackform.php
3. ASV Feedback form
   https://www.pcisecuritystandards.org/approved_companies_providers/asv-feedbackform.php
4. PCIP Feedback form
   https://www.pcisecuritystandards.org/approved_companies_providers/pcip-feedbackform.php
5. P2PE Feedback form
   https://www.pcisecuritystandards.org/approved_companies_providers/p2pe-feedbackform.php
6. QIR Feedback form
   https://www.pcisecuritystandards.org/approved_companies_providers/qir-feedbackform.php

Free & Commercial Card Scan Tools

Identifying and Securely deleting card holder data (PAN) that has exceeded its retention period, is one of the important activity in protecting card holder data. There are free & commercial version of tools available in the market which will assist you in identifying the PAN Stored in the different locations (Files, Databases).

PCI-DSS Requirement 3.1: A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.

List of Free Card Scan tools:

1. PAN Buster from XMCO – Command line utility which will help you to identify the PAN and Track Data. Less false positive when compared to CCSRCH utility.

Continue reading →

Cryptographic Keys and their Cryptoperiod (NIST Recommendations) 2012

Cryptoperiod:

The time span during which a specific cryptographic key can be used for its defined purpose based on, for example, a defined period of time and/or the amount of cipher-text that has been produced, and according to industry best practices and guidelines (for example, NIST Special Publication 800-57).

---

 

Well designed and easy to understand the Cryptoperiod of each cryptographic keys by using the small web based utility designed by BlueKrypt (www.bluekrypt.com) and hosted in their website (http://www.keylength.com). Below is the NIST 2012 recommendations extracted from the keylength.com. Continue reading →