[Owasp-Mumbai] PCI DSS and IT Security

vaibhav aher vaibhavaher at gmail.com
Mon May 31 02:08:57 EDT 2010


Hello Bhaven,
You are right :)

Regards
Vaibhav Aher



On Mon, May 31, 2010 at 11:31 AM, Bhaven T. Haria <bhaven.haria at paladion.net
> wrote:

>
> Hey Vaibhav & Purohit,
>
>
>
> What I wrote:
>
> > PCI-DSS is applicable to the entities storing, processing or transmitting
> payment cardholder data. *(Master, VISA, AMEX, Discover, JCB)*
>
> > For the entities that deal with the transaction information about retail
> & commercial banking and *NOT* store any cardholder data, PCI-DSS is *NOT*
>  applicable.
>
>
>
> What I meant is – that if the banks (e.g. ABC Sakahari scheduled bank) who
> deal only with retail & commercial banking and do NOT deal with any type of
> cardholder data, then PCI-DSS is not applicable to their environments. This
> was to answer Purohit's one of the questions about the applicability.
>
>
>
> But Yes, but if they are storing, *processing or transmitting* any
> cardholder data, they come under purview of PCI-DSS.
>
>
>
> Apologies for the misunderstanding. Hope it’s clear now.
>
>
>
> Regards,
>
> Bhaven
>
> On 31 May 2010 11:18, vaibhav aher <vaibhavaher at gmail.com> wrote:
>
>> >>>For the entities that deal with the transaction information about
>> retail & commercial >>>banking and *NOT* store any cardholder data,
>> PCI-DSS is *NOT* applicable.
>>
>> ^^NOT TRUE, transaction and storage always come in to scope, and PCI DSS
>> is applicable.
>>
>> Regards
>> Vaibhav Aher
>>
>>
>> On Fri, May 28, 2010 at 10:51 PM, Bhaven T. Haria <
>> bhaven.haria at paladion.net> wrote:
>>
>>>
>>> Hi Purohit,
>>>
>>>
>>>
>>> Shall try to answer some parts of your question:
>>>
>>> > PCI-DSS is applicable to the entities storing, processing or
>>> transmitting payment cardholder data. *(Master, VISA, AMEX, Discover,
>>> JCB)*
>>>
>>> > For the entities that deal with the transaction information about
>>> retail & commercial banking and *NOT* store any cardholder data, PCI-DSS
>>> is *NOT* applicable.
>>>
>>> > For implementation of PCI-DSS, it’s better to start with scoping the
>>> cardholder environment, so that the investments & implementation efforts can
>>> be confined.
>>>
>>> > After scoping, a GAP assessment is carried out against the standard to
>>> determine the implementation action items.
>>>
>>> > PCI-DSS implementation is then carried out, followed by the validation
>>> – which can be a QSA audit or SAQ (Self-assessment Questionnaire) filling.
>>>
>>> > Periodicity of vulnerability scanning, application security testing,
>>> penetration testing, wireless scanning, etc. has been defined in the
>>> standard. For the entities that want to implement or sustain the compliance,
>>> this periodicity needs to be demonstrated.
>>>
>>>
>>>
>>> Obvious Reference J: PCI-DSS Standard<https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html>
>>>
>>>
>>>
>>> Have got some interesting reads on PCI-DSS. Do let me if you want me to
>>> pass-on.
>>>
>>>
>>>
>>> Cheers,
>>>
>>> Bhaven
>>> http://in.linkedin.com/in/bhavenharia
>>>
>>> On 28 May 2010 17:51, purohit singh <purohitsingh2 at gmail.com> wrote:
>>>
>>>> Dear All,
>>>>
>>>> This is with reference to PCI DSS. Is the PCI DSS policy only restricted
>>>> to applications, systems and environments where debit card or credit cards
>>>> are used for transactions ?  How about transactions involving internet
>>>> banking for retail users and corporate banking for corporates where no
>>>> credit card or debit card details are used. Also how PCI DSS policy is
>>>> technically implemented. Financial and banking organizations dont implement
>>>> the PCI DSS policy in the first step. There is lot of opposition,
>>>> red-tapism to change. The Application penetration testing is executed in one
>>>> phase, the network pen-test is done at a later stage, the web server V.A ,
>>>> database audit is done randomly. So how the PCI DSS policy is executed and
>>>> integrated. Please clarify.
>>>>
>>>> With regards,
>>>> Purohit Singh
>>>>
>>>> _______________________________________________
>>>> OWASP-Mumbai mailing list
>>>>
>>>> OWASP-Mumbai at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OWASP-Mumbai mailing list
>>> OWASP-Mumbai at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>
>>>
>>
>>
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-mumbai/attachments/20100531/58f77f3b/attachment.html 


More information about the OWASP-Mumbai mailing list