[OWASP-GUIDE] Re: PCI - Visa / MC / Amex merchant security standards

Andre Ludwig andre.ludwig at gmail.com
Wed Feb 9 11:27:24 EST 2005

It should be noted that there CAN be differences in the PCI standard
due to the fact that it is based off the SDP and CISP programs from
master card and visa.  Since each VISA region is separate and
independent there can be instances of where VISA asia sees something
one way and VISA EU has a different spin on it.  So just be aware of
that, make sure if you are trying to figure out the standard that
applies to you you take a look at that regions documentation from the
CISP program.  Since the master card SDP program is global there isn't
any issue with the portions of the PCI that came from that standard.



On Thu, 10 Feb 2005 00:06:33 +1100, Andrew van der Stock
<vanderaj at greebo.net> wrote:
> Visa seems to be having some difficulties with that URL - it was fine for me
> earlier - I literally cut and pasted it. However, that doesn't work right
> now, hopefully Visa will have it back soon.
> The overall CISP program is here:
> http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html?it
> =c|/business/accepting_visa/index%2Ehtml|Cardholder%20Information%20Security
> %20Program%20(CISP)
> (URL wrapped - please concatenate on one line)
> If you are in the Asia Pacific Region (like me!), this link would serve you
> better:
> http://www.visa-asia.com/secured/
> There are many more PDF documents in that URL, including how to conduct an
> audit, what an audit should contain, FAQ's, and advice for larger processors
> (ie merchants like eBay or major retailers).
> Also, I see you work for a bank. The above guidelines, although good solid
> security controls, do not really apply to issuing institutions. You need to
> contact your card services people (if it is not you :) and talk to them
> about the controls. Many of the controls should be adopted - particularly
> the change management and patch management ones, code reviews, regular
> auditing, etc. However, some of them, like not storing cc #'s and ccv's
> can't apply to issuing institutions as you generate these values for card
> holders.
> Good luck!
> Thanks,
> Andrew
> ________________________________________
> From: Murli [mailto:obscured]
> Sent: Wednesday, 9 February 2005 11:06 PM
> To: Andrew van der Stock
> Subject: RE: PCI - Visa / MC / Amex merchant security standards
> Hi andrew - thank you for the info. I tried accessing the
> link you had provided but it threw up an error. Could you
> pls recheck the link and confirm.
> Thanks
> Murli

More information about the Owasp-guide mailing list