Wednesday, December 22, 2010

PCI "Open Mic" Session

The PCI Council held the first of two “open mic” webinars today (Wednesday) for Participating Organizations. Since NACUBO is a Participating Organization, I was able to listen. There were a number of interesting questions (and answers) which I’ll try and summarize.


The first question concerned the new SAQ C-VT for virtual terminals. It was noted that this SAQ is intended for merchants with a single laptop key-entering one transaction at a time. The Council reiterated that these merchants do not need external vulnerability scanning since their laptop is likely to move around and there would not be a static IP address. Also, these merchants are perceived as low risk. What was news was that if a merchant uses a stationary workstation, they would need vulnerability scanning.

A follow-up question picked up on this point, asking whether a merchant using a stationary terminal (not a portable, movable laptop) should instead use the regular SAQ C. Unfortunately the only answer we got was that the merchant needs to “ask your acquirer.” Since most acquirers (even when you find the right person) won’t be very familiar with the new SAQ C-VT, merchants will likely end up using their best judgment or ask their QSA (who quite possibly will be equally baffled). My recommendation for any campus in this situation is to use SAQ C or if you use C-VT get quarterly scanning, too.


There will be a new “PCI Awareness Training” program providing a high level introduction to PCI. This program is in addition to the current ISA and QSA training offered currently. This is a good idea, and reinforces the Treasury Institute’s own program to provide PCI training to a wide audience.

The Council has posted the schedule for the first part of 2011 on its website. If you want to know about future dates, the only advice offered (unfortunately) was to keep checking the PCI COuncil website for updates.


The Council reinforced that PA-DSS only applies to applications that meet all of the following: (1) store, process, or transmit cardholder data; (2) are used to perform authorization or settlement; and (3) are sold to third parties. That is, back office and other applications are not eligible for PA-DSS validation and should be included in your PCI assessment.

Bob Russo addressed the current backlog of PA-DSS approvals and promised that the turnaround time for approving new applications will be 3-4 weeks in 2011.


Bob and his colleagues addressed a number of other topics including:

· The Council has no plans to test or qualify Penetration Testers

· All PCI v2.0 documents are online and available for download

· Special Interest Groups (SIGs) are still looking for members to join

· Yes, Issuers are subject to PCI DSS, and the clarification mainly dealt with their need to retain sensitive authentication data such as security codes and PIN data

· If you use a QSA for an assessment, be sure to complete a QSA feedback form

· The Council will continue to update its Frequently Asked Questions (FAQ) list

There will be a recording of the session on the Council’s website soon. You might want to have a listen.

Friday, December 17, 2010

Have You Got An Extra Few Million Dollars Laying Around?

I am always worried/disturbed when I see reports of data breaches. This particularly the case when it involves a higher education institution. The have been three recently reported: the University of Hawaii (which I previously wrote about here), University of Wisconsin - Madison, and most recently The Ohio State University.

The good news is that at least the last two did not involve any cardholder data. That doesn't make the breaches any less worrying, though. If one kind of data can be exposed, then so can cardholder data. The thing about these most recent breaches is that we are starting to see the serious financial costs involved.

According to this report:
Following the lead of other data breach victims, [the school] is offering a year’s worth of credit protection services, which according to Lynch, will cost the university approximately $4 million.
Add this to the brand damage to any institution and the costs can mount fast.

So I guess my holiday wish (in addition to my other holiday wishes...) is that decision makers everywhere realize that while security and compliance is expensive, lack of security is a whole lot more expensive.

Wednesday, December 1, 2010

New SAQ C and C-VT

As I noted earlier, the PCI Council has released updated Self-Assessment Questionnaires (SAQs) as part of version 2.0. Of greatest interest to many Higher Ed merchants (and actually a whole lot of merchants!) will be the new SAQ C.

The first thing you should know is that it comes in two flavors: SAQ C and SAQ C-VT for virtual terminal users.

The second thing you should know is that my colleague Kat Valentine has produced an analysis of the two new SAQs. Rather than rehash what she has done so well, let me suggest you surf over to her 403 Labs Blog post (click here) and read her analysis. It is thorough and thoughtful.

As most of you know, SAQ C is notoriously difficult to qualify to use. Things have gotten a bit better, but it still is no cakewalk. The same goes for SAQ C-VT. However, if you do qualify it is a whole lot better than SAQ D.

Have a careful read of Kat's analysis, and take a fresh look at your own situation.