[WEB SECURITY] Vulnerabilities at PCI DSS sites
Christian Heinrich
christian.heinrich at cmlh.id.au
Mon Jan 10 18:46:39 EST 2011
Pak-Tjun,
On Mon, Jan 10, 2011 at 8:48 AM, <Pak.Tjun.Chin at nab.com.au> wrote:
>
> Hi,
>
> Just a point to clarify.
>
> Banks are definitely not excluded from PCI Compliance. Any entity
> that stores, processes and/or transmits card holder data (not just credit
> cards but scheme debit cards as well) should be compliant with PCI DSS.
>
> Compliance is mandated by the payment card schemes and not by the
> PCI SSC. By and large, compliance validation deadlines have passed for
> merchants as well as service providers dealing with card data. Currently,
> the schemes are targeting acquirers. Specifically, Visa International, in a
> letter sent to all member acquiring VisaNet processors back in April 2009,
> have sought responses that:
>
>
> - By 30 September 2010 (Phase 1), disclose to Visa whether any
> prohibited data (i.e., CVV, CVV2 or PIN blocks) are being stored post
> authorization on their systems and if so, they must provide a remediation
> plan.
> - By 30 September 2011 (Phase 2), these member VNPs must submit an
> initial PCI DSS report that identifies their level of compliance. If not
> fully compliant, a remediation plan must be provided to Visa.
>
> There is currently not as yet any compliance mandate to issuers.
>
>
https://www.infosecisland.com/blogview/9837-PCI-DSS-for-Issuers-and-Financial-Institutions.html-
this is dated 3 Dec 2010
Out of interest, are NAB and the other banks in Australia considered
"Acquirers" or "Issuers"?
--
Regards,
Christian Heinrich
http://www.linkedin.com/in/ChristianHeinrich
Mobile: +61 433 510 532 (AEST +10 GMT/UTC)
SkypeID: cmlh.id.au
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20110111/695d8d67/attachment.html>
More information about the websecurity
mailing list