[OWASP-GUIDE] RE: PCI - Visa / MC / Amex merchant security standards

Andrew van der Stock vanderaj at greebo.net
Wed Feb 9 08:06:33 EST 2005

Visa seems to be having some difficulties with that URL - it was fine for me
earlier - I literally cut and pasted it. However, that doesn't work right
now, hopefully Visa will have it back soon.

The overall CISP program is here:


(URL wrapped - please concatenate on one line)

If you are in the Asia Pacific Region (like me!), this link would serve you


There are many more PDF documents in that URL, including how to conduct an
audit, what an audit should contain, FAQ's, and advice for larger processors
(ie merchants like eBay or major retailers).

Also, I see you work for a bank. The above guidelines, although good solid
security controls, do not really apply to issuing institutions. You need to
contact your card services people (if it is not you :) and talk to them
about the controls. Many of the controls should be adopted - particularly
the change management and patch management ones, code reviews, regular
auditing, etc. However, some of them, like not storing cc #'s and ccv's
can't apply to issuing institutions as you generate these values for card

Good luck!


From: Murli [mailto:obscured] 
Sent: Wednesday, 9 February 2005 11:06 PM
To: Andrew van der Stock
Subject: RE: PCI - Visa / MC / Amex merchant security standards

Hi andrew - thank you for the info. I tried accessing the
link you had provided but it threw up an error. Could you
pls recheck the link and confirm.


More information about the Owasp-guide mailing list