[WEB SECURITY] Vulnerabilities at PCI DSS sites
christian.heinrich at cmlh.id.au
Mon Jan 10 18:46:39 EST 2011
On Mon, Jan 10, 2011 at 8:48 AM, <Pak.Tjun.Chin at nab.com.au> wrote:
> Just a point to clarify.
> Banks are definitely not excluded from PCI Compliance. Any entity
> that stores, processes and/or transmits card holder data (not just credit
> cards but scheme debit cards as well) should be compliant with PCI DSS.
> Compliance is mandated by the payment card schemes and not by the
> PCI SSC. By and large, compliance validation deadlines have passed for
> merchants as well as service providers dealing with card data. Currently,
> the schemes are targeting acquirers. Specifically, Visa International, in a
> letter sent to all member acquiring VisaNet processors back in April 2009,
> have sought responses that:
> - By 30 September 2010 (Phase 1), disclose to Visa whether any
> prohibited data (i.e., CVV, CVV2 or PIN blocks) are being stored post
> authorization on their systems and if so, they must provide a remediation
> - By 30 September 2011 (Phase 2), these member VNPs must submit an
> initial PCI DSS report that identifies their level of compliance. If not
> fully compliant, a remediation plan must be provided to Visa.
> There is currently not as yet any compliance mandate to issuers.
this is dated 3 Dec 2010
Out of interest, are NAB and the other banks in Australia considered
"Acquirers" or "Issuers"?
Mobile: +61 433 510 532 (AEST +10 GMT/UTC)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the websecurity