[WEB SECURITY] Vulnerabilities at PCI DSS sites

MustLive mustlive at websecurity.com.ua
Sat Jan 15 16:36:13 EST 2011 

Hello Pak-Tjun!

Thanks for your clarification.

I always believe that banks are included to PCI Compliance (based on
statement that everybody who works with card data must be PCI DSS
compliant). It concerns those banks' sites which stores, processes and/or
transmits card data.

There are such sites of banks which not belong to these categories (e.g.
informational sites), which don't need PCI DSS and I'm working with
different Ukrainian banks for last years (and made security audits for such
type of sites). But I'm always saying to all my clients from banks that they
need PCI DSS audit for their sites and only if they have such type of site
which doesn't require it or they just not need PCI DSS for any of their site
for now (but it'll be required in the future due to work with card data),
only then I begin to work with such clients.

Can you give some additional clarification. What is a remediation plan which
must be provided to Visa, which you mentioned quoting Visa International?

And if at 30 September 2010 / 30 September 2011 some site which
stores/processes/transmits card holder data is not fully compliant (or not
compliant at all) to PCI DSS, then what will happen with it?

This question follows the question #3 - Do VISA and MasterCard will be doing
any sanctions to those sites (which are in their programs) which are PCI DSS
compliant but have holes, or to those who are not PCI DSS compliant (but
approved to their programs) and have holes?
(http://www.webappsec.org/lists/websecurity/archive/2010-12/msg00084.html)
and question #5 - Do Visa and MasterCard will be doing any sanction to such
sites, who work with cards, but isn't PCI DSS compliant and are hiding
behind Verified by VISA and MasterCard SecureCode logos?
(http://www.webappsec.org/lists/websecurity/archive/2010-12/msg00091.html).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: Pak.Tjun.Chin at nab.com.au
To: MustLive
Cc: Christian Heinrich ; websecurity at webappsec.org
Sent: Sunday, January 09, 2011 11:48 PM
Subject: Re: [WEB SECURITY] Vulnerabilities at PCI DSS sites



Hi,

        Just a point to clarify.

        Banks are definitely not excluded from PCI Compliance. Any entity
that stores, processes and/or transmits card holder data (not just credit
cards but scheme debit cards as well) should be compliant with PCI DSS.

        Compliance is mandated by the payment card schemes and not by the
PCI SSC. By and large, compliance validation deadlines have passed for
merchants as well as service providers dealing with card data. Currently,
the schemes are targeting acquirers. Specifically, Visa International, in a
letter sent to all member acquiring VisaNet processors back in April 2009,
have sought responses that:

By 30 September 2010 (Phase 1), disclose to Visa whether any prohibited data
(i.e., CVV, CVV2 or PIN blocks) are being stored post authorization on their
systems and if so, they must provide a remediation plan.
By 30 September 2011 (Phase 2), these member VNPs must submit an initial PCI
DSS report that identifies their level of compliance. If not fully
compliant, a remediation plan must be provided to Visa.

        There is currently not as yet any compliance mandate to issuers.

        Cheers!





"MustLive" <mustlive at websecurity.com.ua>
07/01/2011 08:53 AM Please respond to
"MustLive" <mustlive at websecurity.com.ua>

To"Christian Heinrich" <christian.heinrich at cmlh.id.au>
cc<websecurity at webappsec.org>
SubjectRe: [WEB SECURITY] Vulnerabilities at PCI DSS sites







Christian!

Thanks for your point of view. I see that Kare has other opinion on some of
these questions and I'll write my comments on posts of both of you soon.

You and Kare can look at another three questions which I wrote (and
answered) before these ones
(http://www.webappsec.org/lists/websecurity/archive/2010-12/msg00084.html).
In case if you have what to add to my answers.

> PCI DSS is intended for Merchants not EPS.

And if EPS is Merchant (if it's doing acquiring)? These two EPS, which I
mentioned earlier, are not "simple EPS", but systems which are calling
themselves EPS, but also doing internet acquiring (they process and store
card data, as I already mentioned before).

> Banks are excluded i.e. PCI DSS is an agreement specified by the Bank
> to the Merchant and not vice versa.

But what about those banks (which I meant) who are doing acquiring, online
banking and many other stuff, where there are processing and storing of card
data. They also must be PCI DSS compliant. I.e. not agreement to Merchant,
but to Card brands (it's how I see it must be - there must be no exclusions
from a list of those who process and store card data).

>> 3. Does the company, owner of EPS, is deceiving people by not having PCI
>> DSS and putting "funky" Verified by VISA and MasterCard SecureCode logos?
>
> Their intent is different.

Yes, the intent of PCI DSS and 3D-Secure is different, as I already wrote
during previous conversation with Mostafa. But what is about intent of such
companies - that was this question about. I see that such companies is
deceiving people (I'll write more about it later).

> http://www.xssed.com/news/121/MasterCard_and_Visa_sites_bitten_by_XSS_bugs/

It's interesting, I'll look at these posts. It is possible that these
holes-making companies just think that because they're not doing any card
acquiring at their sites, so they don't need to be PCI DSS compliant and
to attend to security of their sites ;-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua



----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

To unsubscribe email websecurity-unsubscribe at webappsec.org and reply to 
the confirmation email

Join WASC on LinkedIn 
http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

More information about the websecurity mailing list