[Owasp-Mumbai] PCI DSS and IT Security

vaibhav aher vaibhavaher at gmail.com
Mon May 31 01:48:35 EDT 2010


>>>For the entities that deal with the transaction information about retail
& commercial >>>banking and *NOT* store any cardholder data, PCI-DSS is *NOT
* applicable.

^^NOT TRUE, transaction and storage always come in to scope, and PCI DSS is
applicable.

Regards
Vaibhav Aher


On Fri, May 28, 2010 at 10:51 PM, Bhaven T. Haria <bhaven.haria at paladion.net
> wrote:

>
> Hi Purohit,
>
>
>
> Shall try to answer some parts of your question:
>
> > PCI-DSS is applicable to the entities storing, processing or transmitting
> payment cardholder data. *(Master, VISA, AMEX, Discover, JCB)*
>
> > For the entities that deal with the transaction information about retail
> & commercial banking and *NOT* store any cardholder data, PCI-DSS is *NOT*applicable.
>
> > For implementation of PCI-DSS, it’s better to start with scoping the
> cardholder environment, so that the investments & implementation efforts can
> be confined.
>
> > After scoping, a GAP assessment is carried out against the standard to
> determine the implementation action items.
>
> > PCI-DSS implementation is then carried out, followed by the validation –
> which can be a QSA audit or SAQ (Self-assessment Questionnaire) filling.
>
> > Periodicity of vulnerability scanning, application security testing,
> penetration testing, wireless scanning, etc. has been defined in the
> standard. For the entities that want to implement or sustain the compliance,
> this periodicity needs to be demonstrated.
>
>
>
> Obvious Reference J: PCI-DSS Standard<https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html>
>
>
>
> Have got some interesting reads on PCI-DSS. Do let me if you want me to
> pass-on.
>
>
>
> Cheers,
>
> Bhaven
> http://in.linkedin.com/in/bhavenharia
>
> On 28 May 2010 17:51, purohit singh <purohitsingh2 at gmail.com> wrote:
>
>> Dear All,
>>
>> This is with reference to PCI DSS. Is the PCI DSS policy only restricted
>> to applications, systems and environments where debit card or credit cards
>> are used for transactions ?  How about transactions involving internet
>> banking for retail users and corporate banking for corporates where no
>> credit card or debit card details are used. Also how PCI DSS policy is
>> technically implemented. Financial and banking organizations dont implement
>> the PCI DSS policy in the first step. There is lot of opposition,
>> red-tapism to change. The Application penetration testing is executed in one
>> phase, the network pen-test is done at a later stage, the web server V.A ,
>> database audit is done randomly. So how the PCI DSS policy is executed and
>> integrated. Please clarify.
>>
>> With regards,
>> Purohit Singh
>>
>> _______________________________________________
>> OWASP-Mumbai mailing list
>>
>> OWASP-Mumbai at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>
>>
>
> _______________________________________________
> OWASP-Mumbai mailing list
> OWASP-Mumbai at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mumbai/attachments/20100531/5f4a9d6f/attachment.html 


More information about the OWASP-Mumbai mailing list