[OWASP-GUIDE] RE: PCI - Visa / MC / Amex merchant security standards

Lyal Collins lyal.collins at key2it.com.au
Sat Feb 12 18:30:31 EST 2005

On a slightly general note about CISP/AIS and SDP, and the merged PCI. 
It is good that there is a common benchmark for credit card payments.
The remaining difficulty is that the audit process is aimed at a number of
specifics that are costly (commercially impossible) to meet, and hence the
audit allows for 'compensating controls' to be considered to be deemed

Thus, if the standard calls for "X", a site can say "we do Y because our
software/hardware doesn't do X, and we believe Y is secure enough" and still
comply to the auditing standard.

I know the standard(s) are written to be "generic", but not generically

Of course, if every site were 100% compliant, they'd be running the almost
exactly same platfom, which is the bad practice of monoculture-ism, let
alone stifle innovation in the industry.

Compliance is a process issue, and these standards and underlying compliance
processes mean every site has most things; corrollary is the not all sites
have everything demanded in the standards.

It is also interesting to note that few banks could comply with the letter
of the Scheme defined standards for merchants and payment processors which
interact with those banks - certaily this is true in several Aisa Pacific



-----Original Message-----
From: Andre Ludwig [mailto:andre.ludwig at gmail.com] 
Sent: Thursday, 10 February 2005 3:27 AM
To: Andrew van der Stock
Cc: owasp-guide at lists.sourceforge.net; webappsec at securityfocus.com
Subject: Re: PCI - Visa / MC / Amex merchant security standards

It should be noted that there CAN be differences in the PCI standard due to
the fact that it is based off the SDP and CISP programs from master card and
visa.  Since each VISA region is separate and independent there can be
instances of where VISA asia sees something one way and VISA EU has a
different spin on it.  So just be aware of that, make sure if you are trying
to figure out the standard that applies to you you take a look at that
regions documentation from the CISP program.  Since the master card SDP
program is global there isn't any issue with the portions of the PCI that
came from that standard.



On Thu, 10 Feb 2005 00:06:33 +1100, Andrew van der Stock
<vanderaj at greebo.net> wrote:
> Visa seems to be having some difficulties with that URL - it was fine 
> for me earlier - I literally cut and pasted it. However, that doesn't 
> work right now, hopefully Visa will have it back soon.
> The overall CISP program is here:
> http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.h
> tml?it
> %20Program%20(CISP)
> (URL wrapped - please concatenate on one line)
> If you are in the Asia Pacific Region (like me!), this link would 
> serve you
> better:
> http://www.visa-asia.com/secured/
> There are many more PDF documents in that URL, including how to 
> conduct an audit, what an audit should contain, FAQ's, and advice for 
> larger processors (ie merchants like eBay or major retailers).
> Also, I see you work for a bank. The above guidelines, although good 
> solid security controls, do not really apply to issuing institutions. 
> You need to contact your card services people (if it is not you :) and 
> talk to them about the controls. Many of the controls should be 
> adopted - particularly the change management and patch management 
> ones, code reviews, regular auditing, etc. However, some of them, like 
> not storing cc #'s and ccv's can't apply to issuing institutions as 
> you generate these values for card holders.
> Good luck!
> Thanks,
> Andrew
> ________________________________________
> From: Murli [mailto:obscured]
> Sent: Wednesday, 9 February 2005 11:06 PM
> To: Andrew van der Stock
> Subject: RE: PCI - Visa / MC / Amex merchant security standards
> Hi andrew - thank you for the info. I tried accessing the link you had 
> provided but it threw up an error. Could you pls recheck the link and 
> confirm.
> Thanks
> Murli

More information about the Owasp-guide mailing list