[Owasp-Mumbai] PCI DSS and IT Security

Bhaven T. Haria bhaven.haria at paladion.net
Mon May 31 02:01:04 EDT 2010


Hey Vaibhav & Purohit,



What I wrote:

> PCI-DSS is applicable to the entities storing, processing or transmitting
payment cardholder data. *(Master, VISA, AMEX, Discover, JCB)*

> For the entities that deal with the transaction information about retail &
commercial banking and *NOT* store any cardholder data, PCI-DSS is *NOT*
applicable.



What I meant is – that if the banks (e.g. ABC Sakahari scheduled bank) who
deal only with retail & commercial banking and do NOT deal with any type of
cardholder data, then PCI-DSS is not applicable to their environments. This
was to answer Purohit's one of the questions about the applicability.



But Yes, but if they are storing, *processing or transmitting* any
cardholder data, they come under purview of PCI-DSS.



Apologies for the misunderstanding. Hope it’s clear now.



Regards,

Bhaven

On 31 May 2010 11:18, vaibhav aher <vaibhavaher at gmail.com> wrote:

> >>>For the entities that deal with the transaction information about retail
> & commercial >>>banking and *NOT* store any cardholder data, PCI-DSS is *
> NOT* applicable.
>
> ^^NOT TRUE, transaction and storage always come in to scope, and PCI DSS is
> applicable.
>
> Regards
> Vaibhav Aher
>
>
> On Fri, May 28, 2010 at 10:51 PM, Bhaven T. Haria <
> bhaven.haria at paladion.net> wrote:
>
>>
>> Hi Purohit,
>>
>>
>>
>> Shall try to answer some parts of your question:
>>
>> > PCI-DSS is applicable to the entities storing, processing or
>> transmitting payment cardholder data. *(Master, VISA, AMEX, Discover,
>> JCB)*
>>
>> > For the entities that deal with the transaction information about retail
>> & commercial banking and *NOT* store any cardholder data, PCI-DSS is *NOT
>> * applicable.
>>
>> > For implementation of PCI-DSS, it’s better to start with scoping the
>> cardholder environment, so that the investments & implementation efforts can
>> be confined.
>>
>> > After scoping, a GAP assessment is carried out against the standard to
>> determine the implementation action items.
>>
>> > PCI-DSS implementation is then carried out, followed by the validation –
>> which can be a QSA audit or SAQ (Self-assessment Questionnaire) filling.
>>
>> > Periodicity of vulnerability scanning, application security testing,
>> penetration testing, wireless scanning, etc. has been defined in the
>> standard. For the entities that want to implement or sustain the compliance,
>> this periodicity needs to be demonstrated.
>>
>>
>>
>> Obvious Reference J: PCI-DSS Standard<https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html>
>>
>>
>>
>> Have got some interesting reads on PCI-DSS. Do let me if you want me to
>> pass-on.
>>
>>
>>
>> Cheers,
>>
>> Bhaven
>> http://in.linkedin.com/in/bhavenharia
>>
>> On 28 May 2010 17:51, purohit singh <purohitsingh2 at gmail.com> wrote:
>>
>>> Dear All,
>>>
>>> This is with reference to PCI DSS. Is the PCI DSS policy only restricted
>>> to applications, systems and environments where debit card or credit cards
>>> are used for transactions ?  How about transactions involving internet
>>> banking for retail users and corporate banking for corporates where no
>>> credit card or debit card details are used. Also how PCI DSS policy is
>>> technically implemented. Financial and banking organizations dont implement
>>> the PCI DSS policy in the first step. There is lot of opposition,
>>> red-tapism to change. The Application penetration testing is executed in one
>>> phase, the network pen-test is done at a later stage, the web server V.A ,
>>> database audit is done randomly. So how the PCI DSS policy is executed and
>>> integrated. Please clarify.
>>>
>>> With regards,
>>> Purohit Singh
>>>
>>> _______________________________________________
>>> OWASP-Mumbai mailing list
>>>
>>> OWASP-Mumbai at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>
>>>
>>
>> _______________________________________________
>> OWASP-Mumbai mailing list
>> OWASP-Mumbai at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>
>>
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mumbai/attachments/20100531/92bcd6a4/attachment-0001.html 


More information about the OWASP-Mumbai mailing list