Security Basics mailing list archives
Re: PCI compliance questions
From: Jason <securitux () gmail com>
Date: Fri, 24 Apr 2009 14:40:47 -0400
Hi. 1) Sensitive data is cardholder data which is the PAN and it also includes expiry date and name IF stored or handled in conjunction with the PAN. Sensitive AUTHENTICATION data is the CVV2, the PIN, and the tracks of the magnetic stripe HOWEVER they may NEVER be stored. If you read the page you linked us to, it has your answer in it. Merchant / Acquirer / Service Provider doesn't matter, the same data is sensitive regardless of who it is. 2) Depends what your acquirer says. Some acquirers are giving a lot of leeway, others are not. The brands' deadline is now. In other words if the brand finds that a service provider whom they work directly with is not compliant with PCI the fines and revocation of card processing privileges could very well happen and has happened to some. 3) From the PCI DSS: "PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted". -J On Wed, Apr 22, 2009 at 6:01 AM, Abo Sous <abussous () gmail com> wrote:
Hello list, I'm going through some PCI material, and i have the following questions please: 1- Details on what’s considered as sensitive data and what’s not: from a Merchant perspective is provided by Visa on page of https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf; however, i could not find any as for the Acquirer/Issuer/Service Provider perspective; any pointers? 2- what are the deadlines/fines for non compliance, for Merchants/Acquirers/Issuers/Service Providers respectively? 3- being an issuer/acquirer (bank for ex), am i required to comply with PCI DSS? if so, what are the requirements? Thanks, -A/S. ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- PCI compliance questions Abo Sous (Apr 22)
- Re: PCI compliance questions Adam Pal (Apr 24)
- Re: PCI compliance questions Mark Loeser (Apr 24)
- Re: PCI compliance questions Jason (Apr 24)
- <Possible follow-ups>
- Re: PCI compliance questions no (Apr 24)
- Re: PCI compliance questions sfmailsbm (Apr 24)