On a slightly general note about CISP/AIS and SDP, and the merged PCI.
It is good that there is a common benchmark for credit card payments.
The remaining difficulty is that the audit process is aimed at a number of
specifics that are costly (commercially impossible) to meet, and hence the
audit allows for 'compensating controls' to be considered to be deemed
equivalent.
Thus, if the standard calls for "X", a site can say "we do Y because our
software/hardware doesn't do X, and we believe Y is secure enough" and still
comply to the auditing standard.
I know the standard(s) are written to be "generic", but not generically
enough.
Of course, if every site were 100% compliant, they'd be running the almost
exactly same platfom, which is the bad practice of monoculture-ism, let
alone stifle innovation in the industry.
Compliance is a process issue, and these standards and underlying compliance
processes mean every site has most things; corrollary is the not all sites
have everything demanded in the standards.
It is also interesting to note that few banks could comply with the letter
of the Scheme defined standards for merchants and payment processors which
interact with those banks - certaily this is true in several Aisa Pacific
countries.
/rant
Lyal
-----Original Message-----
From: Andre Ludwig [mailto:andre.ludwig@gmail.com]
Sent: Thursday, 10 February 2005 3:27 AM
To: Andrew van der Stock
Cc: owasp-guide@lists.sourceforge.net; webappsec@securityfocus.com
Subject: Re: PCI - Visa / MC / Amex merchant security standards
It should be noted that there CAN be differences in the PCI standard due to
the fact that it is based off the SDP and CISP programs from master card and
visa. Since each VISA region is separate and independent there can be
instances of where VISA asia sees something one way and VISA EU has a
different spin on it. So just be aware of that, make sure if you are trying
to figure out the standard that applies to you you take a look at that
regions documentation from the CISP program. Since the master card SDP
program is global there isn't any issue with the portions of the PCI that
came from that standard.
/rant
Andre
On Thu, 10 Feb 2005 00:06:33 +1100, Andrew van der Stock
<vanderaj@greebo.net> wrote:
Visa seems to be having some difficulties with that URL - it was fine
for me earlier - I literally cut and pasted it. However, that doesn't
work right now, hopefully Visa will have it back soon.
The overall CISP program is here:
http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.h
tml?it
=c|/business/accepting_visa/index%2Ehtml|Cardholder%20Information%20Security
%20Program%20(CISP)
(URL wrapped - please concatenate on one line)
If you are in the Asia Pacific Region (like me!), this link would
serve you
better:
http://www.visa-asia.com/secured/
There are many more PDF documents in that URL, including how to
conduct an audit, what an audit should contain, FAQ's, and advice for
larger processors (ie merchants like eBay or major retailers).
Also, I see you work for a bank. The above guidelines, although good
solid security controls, do not really apply to issuing institutions.
You need to contact your card services people (if it is not you :) and
talk to them about the controls. Many of the controls should be
adopted - particularly the change management and patch management
ones, code reviews, regular auditing, etc. However, some of them, like
not storing cc #'s and ccv's can't apply to issuing institutions as
you generate these values for card holders.
Good luck!
Thanks,
Andrew
________________________________________
From: Murli [mailto:obscured]
Sent: Wednesday, 9 February 2005 11:06 PM
To: Andrew van der Stock
Subject: RE: PCI - Visa / MC / Amex merchant security standards
Hi andrew - thank you for the info. I tried accessing the link you had
provided but it threw up an error. Could you pls recheck the link and
confirm.
Thanks
Murli
