[WEB SECURITY] Vulnerabilities at PCI DSS sites

Pak.Tjun.Chin at nab.com.au Pak.Tjun.Chin at nab.com.au
Sun Jan 9 16:48:10 EST 2011 

Hi,

        Just a point to clarify.

        Banks are definitely not excluded from PCI Compliance. Any entity 
that stores, processes and/or transmits card holder data (not just credit 
cards but scheme debit cards as well) should be compliant with PCI DSS.

        Compliance is mandated by the payment card schemes and not by the 
PCI SSC. By and large, compliance validation deadlines have passed for 
merchants as well as service providers dealing with card data. Currently, 
the schemes are targeting acquirers. Specifically, Visa International, in 
a letter sent to all member acquiring VisaNet processors back in April 
2009, have sought responses that:
 
By 30 September 2010 (Phase 1), disclose to Visa whether any prohibited 
data (i.e., CVV, CVV2 or PIN blocks) are being stored post authorization 
on their systems and if so, they must provide a remediation plan.
By 30 September 2011 (Phase 2), these member VNPs must submit an initial 
PCI DSS report that identifies their level of compliance. If not fully 
compliant, a remediation plan must be provided to Visa.

        There is currently not as yet any compliance mandate to issuers.

        Cheers!



 



"MustLive" <mustlive at websecurity.com.ua> 
07/01/2011 08:53 AM
Please respond to
"MustLive" <mustlive at websecurity.com.ua>


To
"Christian Heinrich" <christian.heinrich at cmlh.id.au>
cc
<websecurity at webappsec.org>
Subject
Re: [WEB SECURITY] Vulnerabilities at PCI DSS sites






Christian!

Thanks for your point of view. I see that Kare has other opinion on some 
of
these questions and I'll write my comments on posts of both of you soon.

You and Kare can look at another three questions which I wrote (and
answered) before these ones
(http://www.webappsec.org/lists/websecurity/archive/2010-12/msg00084.html
).
In case if you have what to add to my answers.

> PCI DSS is intended for Merchants not EPS.

And if EPS is Merchant (if it's doing acquiring)? These two EPS, which I
mentioned earlier, are not "simple EPS", but systems which are calling
themselves EPS, but also doing internet acquiring (they process and store
card data, as I already mentioned before).

> Banks are excluded i.e. PCI DSS is an agreement specified by the Bank
> to the Merchant and not vice versa.

But what about those banks (which I meant) who are doing acquiring, online
banking and many other stuff, where there are processing and storing of 
card
data. They also must be PCI DSS compliant. I.e. not agreement to Merchant,
but to Card brands (it's how I see it must be - there must be no 
exclusions
from a list of those who process and store card data).

>> 3. Does the company, owner of EPS, is deceiving people by not having 
PCI
>> DSS and putting "funky" Verified by VISA and MasterCard SecureCode 
logos?
>
> Their intent is different.

Yes, the intent of PCI DSS and 3D-Secure is different, as I already wrote 
during previous conversation with Mostafa. But what is about intent of 
such 
companies - that was this question about. I see that such companies is 
deceiving people (I'll write more about it later).

> 
http://www.xssed.com/news/121/MasterCard_and_Visa_sites_bitten_by_XSS_bugs/


It's interesting, I'll look at these posts. It is possible that these
holes-making companies just think that because they're not doing any card
acquiring at their sites, so they don't need to be PCI DSS compliant and
to attend to security of their sites ;-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Christian Heinrich" <christian.heinrich at cmlh.id.au>
To: "MustLive" <mustlive at websecurity.com.ua>
Cc: <websecurity at webappsec.org>
Sent: Sunday, January 02, 2011 3:34 AM
Subject: Re: [WEB SECURITY] Vulnerabilities at PCI DSS sites


> MustLive,
>
> On Fri, Dec 31, 2010 at 8:50 AM, MustLive <mustlive at websecurity.com.ua>
> wrote:
>> 1. Why EPS which works with cards - for many years (and doing business
>> not
>> only in Ukraine, but worldwide) isn't PCI DSS certified?
>
> PCI DSS is intended for Merchants not EPS.
>
>> 2. Don't Visa and MasterCard asking from EVERY company and bank (or at
>> list
>> large ones) which work with cards to be PCI DSS compliant?
>
> Banks are excluded i.e. PCI DSS is an agreement specified by the Bank
> to the Merchant and not vice versa.
>
>> 3. Does the company, owner of EPS, is deceiving people by not having 
PCI
>> DSS
>> and putting "funky" Verified by VISA and MasterCard SecureCode logos?
>
> Their intent is different.
>
>> 4. Are they not caring about security of their sites?
>
> [SNIP]
>
>> 5. Do Visa and MasterCard will be doing any sanction to such sites, who
>> work
>> with cards, but isn't PCI DSS compliant and are hiding behind Verified 
by
>> VISA and MasterCard SecureCode logos?
>
> 
http://www.xssed.com/news/121/MasterCard_and_Visa_sites_bitten_by_XSS_bugs/

> i.e. the Card Brands are exploiting the "Economics of Information
> Security" http://www.cl.cam.ac.uk/~rja14/econsec.html
>
>
>
> -- 
> Regards,
> Christian Heinrich
>
> http://www.linkedin.com/in/ChristianHeinrich
>
> Mobile: +61 433 510 532 (AEST +10 GMT/UTC)
> SkypeID: cmlh.id.au



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn 
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates




The information contained in this email and its attachments may be confidential.
If you have received this email in error, please notify the sender by return email,
delete this email and destroy any copy.

Any advice contained in this email has been prepared without taking into 
account your objectives, financial situation or needs. Before acting on any 
advice in this email, National Australia Bank Limited (NAB) recommends that 
you consider whether it is appropriate for your circumstances. 
If this email contains reference to any financial products, NAB recommends 
you consider the Product Disclosure Statement (PDS) or other disclosure 
document available from NAB, before making any decisions regarding any 
products.

If this email contains any promotional content that you do not wish to receive, 
please reply to the original sender and write "Don't email promotional 
material" in the subject.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110110/ad3de6db/attachment.html>

More information about the websecurity mailing list