Home page logo
/

basics logo Security Basics mailing list archives

Re: PCI compliance questions
From: Mark Loeser <mark () halcy0n com>
Date: Fri, 24 Apr 2009 11:41:24 -0400

Abo Sous <abussous () gmail com> said:
1- Details on what’s considered as sensitive data and what’s not: from
a Merchant perspective is provided by Visa on page of
https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf;
however, i could not find any as for the Acquirer/Issuer/Service
Provider perspective; any pointers?

According to PCI standards all cardholder data is sensitive.  The only
thing that needs to be rendered unreadable is the full account number
for the card.  The other information just needs to be protected.  Also,
the PIN, CVV and full magnetic strip can not be stored at all.

2- what are the deadlines/fines for non compliance, for
Merchants/Acquirers/Issuers/Service Providers respectively?

These should be listed in the spec, I don't recall off hand.

3- being an issuer/acquirer (bank for ex), am i required to comply
with PCI DSS? if so, what are the requirements?

Almost positive you have to comply with all of the requirements.  If you
are dealing with card holder data at all, then you fall into PCI-land.

HTH,

-- 
Mark Loeser
email         -   halcy0n AT gentoo DOT org
email         -   mark AT halcy0n DOT com
web           -   http://www.halcy0n.com

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault