Home page logo
/

basics logo Security Basics mailing list archives

Re: PCI compliance questions
From: Jason <securitux () gmail com>
Date: Fri, 24 Apr 2009 14:40:47 -0400

Hi.

1) Sensitive data is cardholder data which is the PAN and it also
includes expiry date and name IF stored or handled in conjunction with
the PAN. Sensitive AUTHENTICATION data is the CVV2, the PIN, and the
tracks of the magnetic stripe HOWEVER they may NEVER be stored. If you
read the page you linked us to, it has your answer in it. Merchant /
Acquirer / Service Provider doesn't matter, the same data is sensitive
regardless of who it is.

2) Depends what your acquirer says. Some acquirers are giving a lot of
leeway, others are not. The brands' deadline is now. In other words if
the brand finds that a service provider whom they work directly with
is not compliant with PCI the fines and revocation of card processing
privileges could very well happen and has happened to some.

3) From the PCI DSS: "PCI DSS requirements are applicable if a Primary
Account Number (PAN) is stored, processed, or transmitted".

-J

On Wed, Apr 22, 2009 at 6:01 AM, Abo Sous <abussous () gmail com> wrote:
Hello list,

I'm going through some PCI material, and i have the following questions please:

1- Details on what’s considered as sensitive data and what’s not: from
a Merchant perspective is provided by Visa on page of
https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf;
however, i could not find any as for the Acquirer/Issuer/Service
Provider perspective; any pointers?
2- what are the deadlines/fines for non compliance, for
Merchants/Acquirers/Issuers/Service Providers respectively?
3- being an issuer/acquirer (bank for ex), am i required to comply
with PCI DSS? if so, what are the requirements?

Thanks,
-A/S.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]