<font color="#000066"><font size="2"><font face="tahoma,sans-serif"><p style="margin:0in;margin-bottom:.0001pt"><span lang="EN-IN" style="font-size:
11.0pt;font-family:Calibri;mso-bidi-font-family:Arial;color:#333399;mso-ansi-language:
EN-IN"><br></span></p><p style="margin:0in;margin-bottom:.0001pt"><span lang="EN-IN" style="font-size:
11.0pt;font-family:Calibri;mso-bidi-font-family:Arial;color:#333399;mso-ansi-language:
EN-IN">Hey Vaibhav &amp; Purohit,</span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span lang="EN-IN" style="font-size:
11.0pt;font-family:Calibri;mso-bidi-font-family:Arial;color:#333399;mso-ansi-language:
EN-IN">†</span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span lang="EN-IN" style="font-size:
11.0pt;font-family:Calibri;mso-bidi-font-family:Arial;color:#333399;mso-ansi-language:
EN-IN">What I wrote:</span></p>

<p style="margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;
margin-bottom:.0001pt"><span lang="EN-IN" style="font-size:11.0pt;font-family:
Calibri;mso-bidi-font-family:Tahoma;color:#333399;mso-ansi-language:EN-IN">&gt;
PCI-DSS is applicable to the entities storing, processing or transmitting
payment cardholder data.<span class="apple-converted-space">†</span><i>(Master,
VISA, AMEX, Discover, JCB)</i></span><span style="font-family:Tahoma;
color:#000066"></span></p>

<p style="margin-top:0in;margin-right:0in;margin-bottom:0in;margin-left:.5in;
margin-bottom:.0001pt"><span lang="EN-IN" style="font-size:11.0pt;font-family:
Calibri;mso-bidi-font-family:Tahoma;color:#333399;mso-ansi-language:EN-IN">&gt;
For the entities that deal with the transaction information about retail &amp; commercial
banking and<span class="apple-converted-space">†</span><b>NOT</b><span class="apple-converted-space">†</span>store any cardholder data, PCI-DSS is<span class="apple-converted-space">†</span><b>NOT</b><span class="apple-converted-space">†</span>applicable.</span><span style="font-family:Tahoma;color:#000066"></span></p>


<p style="margin:0in;margin-bottom:.0001pt"><span lang="EN-IN" style="font-size:
11.0pt;font-family:Calibri;mso-bidi-font-family:Arial;color:#333399;mso-ansi-language:
EN-IN">†</span></p>



<p style="margin:0in;margin-bottom:.0001pt"><span lang="EN-IN" style="font-size:
11.0pt;font-family:Calibri;mso-bidi-font-family:Arial;color:#333399;mso-ansi-language:
EN-IN">What I meant is Ė that if the banks (e.g. ABC Sakahari scheduled bank) who
deal only with retail &amp; commercial banking and do NOT deal with any type of
cardholder data, then PCI-DSS is not applicable to their environments. This was to answer Purohit&#39;s one of the questions about the applicability.</span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span lang="EN-IN" style="font-size:
11.0pt;font-family:Calibri;mso-bidi-font-family:Arial;color:#333399;mso-ansi-language:
EN-IN">†</span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span lang="EN-IN" style="font-size:
11.0pt;font-family:Calibri;mso-bidi-font-family:Arial;color:#333399;mso-ansi-language:
EN-IN">But Yes, but if they are storing, <u>processing or transmitting</u> any cardholder
data, they come under purview of PCI-DSS.†</span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span lang="EN-IN" style="font-size:
11.0pt;font-family:Calibri;mso-bidi-font-family:Arial;color:#333399;mso-ansi-language:
EN-IN">†</span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span lang="EN-IN" style="font-size:
11.0pt;font-family:Calibri;mso-bidi-font-family:Arial;color:#333399;mso-ansi-language:
EN-IN">Apologies for the misunderstanding. Hope itís clear now.</span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span lang="EN-IN" style="font-size:
11.0pt;font-family:Calibri;mso-bidi-font-family:Arial;color:#333399;mso-ansi-language:
EN-IN">†</span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span lang="EN-IN" style="font-size:
11.0pt;font-family:Calibri;mso-bidi-font-family:Arial;color:#333399;mso-ansi-language:
EN-IN">Regards,</span></p>

<p style="margin:0in;margin-bottom:.0001pt"><span lang="EN-IN" style="font-size:
11.0pt;font-family:Calibri;mso-bidi-font-family:Arial;color:#333399;mso-ansi-language:
EN-IN">Bhaven</span></p></font></font></font><br><div class="gmail_quote">On 31 May 2010 11:18, vaibhav aher <span dir="ltr">&lt;<a href="mailto:vaibhavaher@gmail.com">vaibhavaher@gmail.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<font><font><font><font color="#000066"><font size="2"><font face="tahoma,sans-serif"><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN"><div class="im">&gt;&gt;&gt;For the entities that deal with the transaction 
information about
retail &amp; commercial &gt;&gt;&gt;banking and <b>NOT</b>
store any cardholder data, PCI-DSS is <b>NOT</b>
applicable. <br><br></div><span style="color:rgb(255, 0, 0)">^^NOT TRUE, transaction and storage always come in to scope, and PCI DSS is applicable.</span><br>†<br>Regards<br><font color="#888888">Vaibhav Aher<br><br></font></span></font></font></font></font></font></font><div>
<div></div><div class="h5"><br>
<div class="gmail_quote">On Fri, May 28, 2010 at 10:51 PM, Bhaven T. Haria <span dir="ltr">&lt;<a href="mailto:bhaven.haria@paladion.net" target="_blank">bhaven.haria@paladion.net</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">

<font color="#000066"><font size="2"><font face="tahoma,sans-serif"><p style="margin:0in 0in 0.0001pt"><span style="color:rgb(51, 51, 153);font-family:Calibri;font-size:15px"><br></span></p>
<p style="margin:0in 0in 0.0001pt"><span style="color:rgb(51, 51, 153);font-family:Calibri;font-size:15px">Hi Purohit,</span></p>

<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN">†</span></p>

<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN">Shall try to answer some parts of your question:</span></p>

<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN">&gt; PCI-DSS is applicable to the entities storing, processing or
transmitting payment cardholder data. <i>(Master,
VISA, AMEX, Discover, JCB)</i></span></p>

<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN">&gt; For the entities that deal with the transaction information about
retail &amp; commercial banking and <b>NOT</b>
store any cardholder data, PCI-DSS is <b>NOT</b>
applicable. </span></p>

<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN">&gt; For implementation of PCI-DSS, itís better to start with scoping
the cardholder environment, so that the investments &amp; implementation
efforts can be confined.</span></p>

<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN">&gt; After scoping, a GAP assessment is carried out against the standard
to determine the implementation action items. </span></p>

<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN">&gt; PCI-DSS implementation is then carried out, followed by the
validation Ė which can be a QSA audit or SAQ (Self-assessment Questionnaire)
filling.</span></p>

<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN">&gt; Periodicity of vulnerability scanning, application security
testing, penetration testing, wireless scanning, etc. has been defined in the standard.
For the entities that want to implement or sustain the compliance, this periodicity needs to be demonstrated.</span></p>

<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN">†</span></p>

<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN">Obvious Reference </span><span style="font-size:11pt;font-family:Wingdings;color:rgb(51, 51, 153)" lang="EN-IN"><span>J</span></span><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN">: <a href="https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html" target="_blank">PCI-DSS Standard</a></span></p>



<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN">†</span></p>

<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN">Have got some interesting reads on PCI-DSS. Do let me if you want me to
pass-on.</span></p>

<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN">†</span></p>

<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN">Cheers,</span></p>

<p style="margin:0in 0in 0.0001pt"><span style="font-size:11pt;font-family:Calibri;color:rgb(51, 51, 153)" lang="EN-IN">Bhaven</span></p>

<a name="128ece7888724e19_128e02e7eafaf5c1_webProfileURL"></a><a href="http://in.linkedin.com/in/bhavenharia" title="View public profile" target="_blank"><span><span style="font-size:10pt;font-family:Calibri">http://in.linkedin.com/in/bhavenharia</span></span><span></span></a><br>

</font></font></font><br><div class="gmail_quote"><div><div></div><div>On 28 May 2010 17:51, purohit singh <span dir="ltr">&lt;<a href="mailto:purohitsingh2@gmail.com" target="_blank">purohitsingh2@gmail.com</a>&gt;</span> wrote:<br>


</div></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex"><div><div></div><div><div>Dear All,</div>
<div>†</div>
<div>This is with reference to PCI DSS. Is the PCI DSS policy only restricted to applications, systems and environments where debit card or credit cards are used for transactions ?† How about transactions involving internet banking for retail users and corporate banking for corporates where no credit card or debit card details are used. Also how PCI DSS policy is technically implemented. Financial and banking organizations dont implement the PCI DSS policy in the first step. There is lot of opposition, red-tapism†to change. The Application penetration testing is executed in one phase, the network pen-test is done at a later stage, the web server V.A , database audit is done randomly. So how the PCI DSS policy is executed and integrated. Please clarify.</div>




<div>†</div>
<div>With regards,</div>
<div>Purohit Singh</div>
<br></div></div>_______________________________________________<br>
OWASP-Mumbai mailing list<div><br>
<a href="mailto:OWASP-Mumbai@lists.owasp.org" target="_blank">OWASP-Mumbai@lists.owasp.org</a><br>
</div><a href="https://lists.owasp.org/mailman/listinfo/owasp-mumbai" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-mumbai</a><br>
<br></blockquote></div><br>
<br>_______________________________________________<br>
OWASP-Mumbai mailing list<br>
<a href="mailto:OWASP-Mumbai@lists.owasp.org" target="_blank">OWASP-Mumbai@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-mumbai" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-mumbai</a><br>
<br></blockquote></div><br><br clear="all"><br><br><br><br>
</div></div></blockquote></div><br>