Sign in / up

back to article New security standard for CHAPS who have your CREDIT CARD data

A new version of the PCI-DSS payment card industry standard was published yesterday, and is due to come into effect at the start of January. The new rules place a greater emphasis on promoting improved security rather than complying with pre-set rules. PCI DSS 3.0 is designed to "help organisations take a proactive approach …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. wyatt

    Thought provoking

    I install and maintain voice recording equipment, often with pause/resume functionality to aid with reaching PCI DSS standards. I only install it and make it work, I don't go that step further ensuring default passwords are changed etc, is that my responsibility? I would say not, as the end customer should know what needs to be done and either specify or configure this themselves.

    I don't know of any that ever do change the defaults. Maybe they will at audit time (if big enough!)?

    1 0
  2. Velv
    Headmaster

    "...and moving towards best-practice security."

    I know it's generic, but I loathe the term "best practise" for two reason:

    1. it gives people a false sense of security - "we're doing what's best so we must be safe"; and

    2. there really is no such thing as "best" practise, because every situation is different.

    We really should be encouraging the use of the term "good practises", because let's face it, the "best" security is about multiple layers and multiple factors appropriate to the situation and use case.

    1 0
  3. Richard Jukes

    BAH!

    I hate PCI DSS annual review time. Thankfully we keep customers card details in an A5 notepad that is locked in a safe. As such the review is quite straight forward.

    However if I were to keep those details on an electronic CRM (which would make my life a lot easier) I then have around about 80 pages of technobabble to wade through and complete. I can change default passwords of routers and do quite bit of technical stuff however I do get lost on the vast majority of the PCI DSS review (if I were to store details electronically). A lot of it is very network specific and I am out of my depth (and I consider my self more IT literate than average and certainly a lot more IT literate than the average business owner).

    While I appreciate that PCI DSS is something that needs to be adhered to, not only for the sake of customers but also for the sake of the business - it is not something that I feel I can fully complete, hence we stick to the idiot proof paper and safe option.

    There is a MASSIVE gap in the market for tech companies or contractors to offer PCI DSS compliance configuration and PCI DSS reviews, however many companies I have approached seem to wish to stay well clear.

    2 0
    1. Graham Marsden
      Reply Icon

      @Richard Jukes - Re: BAH!

      I have to agree. The full PCI-DSS compliance requirements are ridiculously over-complex for a small business.

      The first time I tried to register, I went through their "helpful" questionnaire which then reckoned I needed to do the whole rigmarole and, despite being pretty tech savvy, I ended up going "WTF is *that* all about?"

      Fortunately, after phoning up their help line and speaking to someone who actually knew the system, I found that I didn't need to do all that and could skip about 90% of the process.

      3 0
      1. Richard Jukes
        Reply Icon

        Re: @Richard Jukes - BAH!

        That is just it, yourself and I are tech savvy (we do after all read this site) and I had the same impression as yourself 'WTF IS ALL THIS? WHAT DOES IT MEAN?'.

        If people like you and I are getting stuck on the PCI DSS, what hope have small business got?

        There really is a market there for PCI DSS config and review, I would happily pay £150 to £250 per year for it just to avoid the headache.

        1 0
  4. John Smith 19 Gold badge
    Meh

    CC Companies "Bottom line. This proves it's not our fault"

    Which I think is the core requirement of such standards.

    2 0
  5. phil dude
    Pint

    question...?

    I know very little about this area but I'm curios. Is it possible to have onetime passwords used instead of static information? So instead of account info, some unique transaction string that cannot be abused?

    I know this is the chip+pin bank mechanism , but surely it would stop the "static info" problem.

    Genuine inquiry!

    P.

    0 0
  6. hairydog

    Another bank scam

    I look after several ecommerce websites, with different clients, different banks but more or less the same setup. So why is there such a vast difference in their PCI experiences?

    The banks pass the PCI certification to third-party companies, some of whom are fine. They ask sensible questions and do fair assessments.

    But others are a nightmare. They ask incomprehensible questions that couldn't be answered even if they were relevant. The find vulnerabilities that don't exist, or ones that are there in every ecommerce web server in the world. Their approach is all intended to get the client to pay them rip-off fees for technical support. I assume that they are paying the banks to con clients their way.

    0 0
This topic is closed for new posts.

Other stories you might like