WebApp Sec mailing list archives
RE: PCI - Visa / MC / Amex merchant security standards
From: "Lyal Collins" <lyal.collins () key2it com au>
Date: Sun, 13 Feb 2005 10:30:31 +1100
On a slightly general note about CISP/AIS and SDP, and the merged PCI. It is good that there is a common benchmark for credit card payments. The remaining difficulty is that the audit process is aimed at a number of specifics that are costly (commercially impossible) to meet, and hence the audit allows for 'compensating controls' to be considered to be deemed equivalent. Thus, if the standard calls for "X", a site can say "we do Y because our software/hardware doesn't do X, and we believe Y is secure enough" and still comply to the auditing standard. I know the standard(s) are written to be "generic", but not generically enough. Of course, if every site were 100% compliant, they'd be running the almost exactly same platfom, which is the bad practice of monoculture-ism, let alone stifle innovation in the industry. Compliance is a process issue, and these standards and underlying compliance processes mean every site has most things; corrollary is the not all sites have everything demanded in the standards. It is also interesting to note that few banks could comply with the letter of the Scheme defined standards for merchants and payment processors which interact with those banks - certaily this is true in several Aisa Pacific countries. /rant Lyal -----Original Message----- From: Andre Ludwig [mailto:andre.ludwig () gmail com] Sent: Thursday, 10 February 2005 3:27 AM To: Andrew van der Stock Cc: owasp-guide () lists sourceforge net; webappsec () securityfocus com Subject: Re: PCI - Visa / MC / Amex merchant security standards It should be noted that there CAN be differences in the PCI standard due to the fact that it is based off the SDP and CISP programs from master card and visa. Since each VISA region is separate and independent there can be instances of where VISA asia sees something one way and VISA EU has a different spin on it. So just be aware of that, make sure if you are trying to figure out the standard that applies to you you take a look at that regions documentation from the CISP program. Since the master card SDP program is global there isn't any issue with the portions of the PCI that came from that standard. /rant Andre On Thu, 10 Feb 2005 00:06:33 +1100, Andrew van der Stock <vanderaj () greebo net> wrote:
Visa seems to be having some difficulties with that URL - it was fine for me earlier - I literally cut and pasted it. However, that doesn't work right now, hopefully Visa will have it back soon. The overall CISP program is here: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.h tml?it
=c|/business/accepting_visa/index%2Ehtml|Cardholder%20Information%20Security
%20Program%20(CISP) (URL wrapped - please concatenate on one line) If you are in the Asia Pacific Region (like me!), this link would serve you better: http://www.visa-asia.com/secured/ There are many more PDF documents in that URL, including how to conduct an audit, what an audit should contain, FAQ's, and advice for larger processors (ie merchants like eBay or major retailers). Also, I see you work for a bank. The above guidelines, although good solid security controls, do not really apply to issuing institutions. You need to contact your card services people (if it is not you :) and talk to them about the controls. Many of the controls should be adopted - particularly the change management and patch management ones, code reviews, regular auditing, etc. However, some of them, like not storing cc #'s and ccv's can't apply to issuing institutions as you generate these values for card holders. Good luck! Thanks, Andrew ________________________________________ From: Murli [mailto:obscured] Sent: Wednesday, 9 February 2005 11:06 PM To: Andrew van der Stock Subject: RE: PCI - Visa / MC / Amex merchant security standards Hi andrew - thank you for the info. I tried accessing the link you had provided but it threw up an error. Could you pls recheck the link and confirm. Thanks Murli
Current thread:
- PCI - Visa / MC / Amex merchant security standards Andrew van der Stock (Feb 08)
- <Possible follow-ups>
- RE: PCI - Visa / MC / Amex merchant security standards Andrew van der Stock (Feb 09)
- Re: PCI - Visa / MC / Amex merchant security standards Andre Ludwig (Feb 10)
- RE: PCI - Visa / MC / Amex merchant security standards Lyal Collins (Feb 12)
- Re: PCI - Visa / MC / Amex merchant security standards Andre Ludwig (Feb 10)