WebApp Sec mailing list archives
Re: PCI - Visa / MC / Amex merchant security standards
From: Andre Ludwig <andre.ludwig () gmail com>
Date: Wed, 9 Feb 2005 11:27:24 -0500
It should be noted that there CAN be differences in the PCI standard due to the fact that it is based off the SDP and CISP programs from master card and visa. Since each VISA region is separate and independent there can be instances of where VISA asia sees something one way and VISA EU has a different spin on it. So just be aware of that, make sure if you are trying to figure out the standard that applies to you you take a look at that regions documentation from the CISP program. Since the master card SDP program is global there isn't any issue with the portions of the PCI that came from that standard. /rant Andre On Thu, 10 Feb 2005 00:06:33 +1100, Andrew van der Stock <vanderaj () greebo net> wrote:
Visa seems to be having some difficulties with that URL - it was fine for me earlier - I literally cut and pasted it. However, that doesn't work right now, hopefully Visa will have it back soon. The overall CISP program is here: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html?it =c|/business/accepting_visa/index%2Ehtml|Cardholder%20Information%20Security %20Program%20(CISP) (URL wrapped - please concatenate on one line) If you are in the Asia Pacific Region (like me!), this link would serve you better: http://www.visa-asia.com/secured/ There are many more PDF documents in that URL, including how to conduct an audit, what an audit should contain, FAQ's, and advice for larger processors (ie merchants like eBay or major retailers). Also, I see you work for a bank. The above guidelines, although good solid security controls, do not really apply to issuing institutions. You need to contact your card services people (if it is not you :) and talk to them about the controls. Many of the controls should be adopted - particularly the change management and patch management ones, code reviews, regular auditing, etc. However, some of them, like not storing cc #'s and ccv's can't apply to issuing institutions as you generate these values for card holders. Good luck! Thanks, Andrew ________________________________________ From: Murli [mailto:obscured] Sent: Wednesday, 9 February 2005 11:06 PM To: Andrew van der Stock Subject: RE: PCI - Visa / MC / Amex merchant security standards Hi andrew - thank you for the info. I tried accessing the link you had provided but it threw up an error. Could you pls recheck the link and confirm. Thanks Murli
Current thread:
- PCI - Visa / MC / Amex merchant security standards Andrew van der Stock (Feb 08)
- <Possible follow-ups>
- RE: PCI - Visa / MC / Amex merchant security standards Andrew van der Stock (Feb 09)
- Re: PCI - Visa / MC / Amex merchant security standards Andre Ludwig (Feb 10)
- RE: PCI - Visa / MC / Amex merchant security standards Lyal Collins (Feb 12)
- Re: PCI - Visa / MC / Amex merchant security standards Andre Ludwig (Feb 10)