Wednesday, December 27, 2006

PCI Fines - The Teeth of PCI-DSS Compliance

In 2006, Visa levied $4.6 million in fines, up from a 2005 total of $3.4 million.

This new program sets an enforcement date for acquirers to validate PCI compliance for Level 1 and Level 2 merchants. Additionally, Visa is adding new fines to acquirers whose Level 2 merchant customers retain full-track data, CVV2 or PIN data after the transaction authorization.

Specifically for PCI compliance, acquirers will be fined between $5,000 and $25,000 a month for each of its Level 1 and 2 merchants who have not validated by September 30, 2007 and December 31, 2007 respectively. For prohibited data storage, acquirers failing to provide confirmation that their Level 1 and 2 merchants are not storing full track data, CVV2 or PIN data by March 31, 2007 will be eligible for fines up to $10,000 a month per merchant, subject to escalation in the event material progress toward compliance is not made in a timely manner.

From Visa

Friday, December 15, 2006

PCI DSS Requirement 5

This is one area that NAC vendors are likely to latch onto, however ask them how they will give you NAC functionality, while securing and encrypting things on the network without a massive hardware footprint or IOS upgrade... TNT can

5.1 Deploy anti-virus software on all systems commonly affected by viruses (particularly personal computers and servers) Note: Systems commonly affected by viruses typically do not include UNIX-based operating systems or mainframes. TNT will insure that the software is active, when the last scan was, tell you about any issues, and if policy is configured to quarantine a machine that is dirty, it knocks it into a quarantine zone.
5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against other forms of malicious software, including spyware and adware. TNT’s NAC alternative does this by insuring that the software is on, and will synchronize with a real time database of known worms, bots, and other malware
5.2 Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs TNT has the ability to tell admins whether or not the mechanisms are not only up to date but active, and quarantining the device until it is compliant