Network Segmentation

Earlier this month the PCI SSC released a memo referring to their network segmentation guidelines, while network segmentation is not part of PCI scope, it seems that most breaches happen from systems that were deemed not in scope, and companies were unaware that their data was even being accessed by these systems. The guidelines where created with input from professionals within the industry to address common concerns that companies might have. The network segmentation guidelines provide feedback on how to successfully implement network segmentations as well as how to determine PCI scope within your overall environment. The network segmentation guidelines …

HostedPCI is Now on the AppExchange

HostedPCI is now on the AppExchange, making it easier for companies that use Salesforce for their CRM can reduce their PCI scope without compromising customer experience. HostedPCI offer 2 main services within the Salesforce APP, our iFrame for eCommerce companies and our IVR for call centre companies. With the HostedPCI APP companies are able to store the credit card token along with the rest of the client information within their Salesforce environment. HostedPCI Offers 2 options for collecting the customers information an internal option and an external option. The internal option is used for customer service representative to collect customers …

Why Change the TLS Migration Date?

It has been known for a while that SSL/TLS had vulnerabilities, however when POODLE first became known the PCI SSC jumped quickly to release the PCI DSS version 3.1, which stated that organizations had to migrate to TLS 1.1 or higher and disable any fallback to SSL/early TLS. Within PCI DSS version 3.1 the deadline for all these changes was June 2016 and by that time all organizations such as Acquirers, Processors, Gateways and Service providers must have migrated to TLS 1.1 or higher. The PCI SSC rushed to release the PCI DSS version 3.1 compliance due to the SSL/early …

TLS for Android

For online merchants the new PCI standards may effect the usability of their shopping carts on Android phones. Earlier this year two attacks related to PCI compliance where discovered, they were Heartbleed and POODLE. While it had been discovered in the past that SSL and early TLS encryption were vulnerable to attacks, they were still allowed to be used with a downgrade – dance, if the highest level handshake with TLS 1.2 failed, the handshake would downgrade until the connection could be made securely. While most communication begins with TLS 1.2, it could end with a secure connection with TLS …

PCI 3.1 : Why so Quick

PCI Security Standards Council was created in 2006 to protect organizations and their customers from fraud. PCI compliance is a nationwide standard that all organizations that collect, exchange and process must follow in order to be secure. Typically PCI compliance is updated once every three years. PCI 3.0 went in to full effect in Jan , 2015 so how come PCI 3.1 was rushed out so quickly? Although there were a few clarification changes the main reason for this rush was a vulnerability found in SSL 3.0. SSL(Secure Socket Layer) certificates that are essential in the data encryption process making …

Differences in SAQ

Depending on what your business is and how it handles credit cards, will then dictate the type of SAQ ( Self Assessment Questionnaire) your organization must complete. Most companies under estimate the guidelines for PCI compliance, and will elect to collect and store data on their own thinking…how hard can it really be? Well the reality is that if an organization collects, handles and stores their own credit card data they will need to complete an SAQ type D, which is a full scope SAQ with roughly 347 questions that need to be completed. Even if only one of these …

Compliance Doesn’t Have to be Stressful

When shopping online or over the phone, has anyone ever wondered how secure their credit card data really is? Typically every consumer wants to believe that their data can not be compromised but how can they be sure? In order to answer these question there are a few things that consumers need to know. First off its important to understand that all companies that accept credit card data must follow strict guidelines, known as PCI compliance. There are many ways for a company to become PCI compliant for example they can do it themselves however it is extremely costly and …