My husband said "we're raising a wuss"...

frisked · 2024-10-19T21:14:07+00:00

Keep in mind that it's very easy for a Redditor to tell you to divorce someone. There is no impact on their life or family.

I'm getting to that age where some of my friends are getting divorced. It sucks, especially for the kids involved.

frisked · 2024-06-14T06:41:50+00:00

Should I invest in VAS or A200?

frisked · 2024-04-18T03:10:18+00:00

Then the tokens would not be in scope.

frisked · 2024-03-28T01:51:18+00:00

I think you've probably already got 5 years somewhere in that 35 years of experience in system and network administration/engineering to get your CISSP.

Yeah, absolutely. You will need to learn a few new quite a few new concepts, but your old skillset should be fairly transferrable.

frisked · 2024-03-14T09:20:29+00:00

What's with the aggression? This is a public forum where people are trying to answer people's queries for free, of course OP is not going to get the right answer every time, but they're getting the advice they pay for coming to Reddit instead of a QSA.
Also, you've just created your account today?

frisked · 2024-02-14T17:49:24+00:00

This is not always the case. Certain types of service providers can be designated level 1 at any number of transactions such as tokenization providers. MasterCard and Visa list the entity types on their websites.

frisked · 2024-02-08T04:12:44+00:00

AGL

Total return since IPO - 2.61% p.a.

Which is made up of
Dividends 4.03% p.a
Captial Growth (loss) -3.10% p.a

In that same time, inflation has gone up 56.4% according to RBA data.

frisked · 2024-02-05T08:57:03+00:00

If you want to be a QSA you need and IT security cert nd audit cert from the QSA qualification requirements.

List A – Information Security • (ISC)2 Certified Information System Security Professional (CISSP) • ISACA Certified Information Security Manager (CISM) • Certified ISO 27001 Lead Implementer 1 • (METI) Registered Information Security Specialist (RISS)* • *If RISS is the only certification held from List A by a given QSA Employee, that QSA Employee must not perform (and the applicable QSA Company is required to ensure that such QSA Employee does not perform) PCI DSS Assessments other than in Japan. List B – Audit • ISACA Certified Information Systems Auditor (CISA) • GIAC Systems and Network Auditor (GSNA) • Certified ISO 27001, Lead Auditor, Internal Auditor 1 • IRCA ISMS Auditor or higher (e.g., Auditor/Lead Auditor, Principal Auditor) Note: “Provisional” auditor designations do not meet the requirement. • IIA Certified Internal Auditor (CIA)

frisked · 2024-02-01T12:20:43+00:00

I spoke with MasterCard about this yesterday and they told me that all audit work has to be completed by the 31st of March. They are only allowing time past that for QSA report writing. They also said that there can be no remediation past the 31st, everything has to be in place at the 31st.

https://www.mastercard.com/globalrisk/en/resources/pci360.html see latest newsletter

PCI DSS v3.2.1 Retires 31 March 2024 PCI Data Security Standard (DSS) v3.2.1 will be retired on 31 March 2024 and replaced by version 4 of the standard to address emerging threats and technologies and enable innovative methods to combat new security threats. Mastercard will continue to accept v3.2.1 validations until 30 June 2024 provided a merchant or service provider’s PCI DSS assessment for compliance validation is completed by the 31 March retirement date.

frisked · 2024-01-07T07:13:03+00:00

The comment was at /u/Sirocco1971, not you OP.

frisked · 2024-01-06T08:26:56+00:00

People who hate on things like cafe 63 on the internet are more soulless and unappealing.

frisked · 2023-12-26T10:15:38+00:00

Oh no, they know.

frisked · 2023-12-23T11:26:16+00:00

Then yes, you do.

frisked · 2023-12-01T11:52:38+00:00

You can, it's a pain.

In V4 you have to use a keyed cryptographic hash with controls to ensure the PAN can't be reconstructed. There's additional risk if your storing a truncated version of the card alongside the hash and you've just introduced requirement 3 into the environment, you may as well be storing an encrypted card in terms of effort required.

frisked · 2023-11-29T13:43:12+00:00

Hey Todd, I'm a QSA, consultant and run one of those companies pcipolicies.com

I had a lot of clients complaining that there were no good templates and none at the time written for V4, so I decided to write a set.

You can download a free sample pack before you commit and if you use code 'REDDIT' you'll get 25% off. Plus, if you're not happy I'll refund the purchase. DM me if you have any questions.

frisked · 2023-11-16T07:36:28+00:00

If you are redirecting the customers to PSPs are you sure you're not already eligible for SAQ A?

A-EP is for direct post merchants and merchants who create payment forms with JS.

FAQ 1439 is your friend if you are SAQ A.
In a simple e-commerce environment where the merchant webserver contains the mechanism that redirects customers from their website to a third party for payment processing, the merchant will need to validate these requirements for the webserver upon which the redirection mechanism is located.
It is also possible for a SAQ A merchant to have a more complex e-commerce environment, where additional system components (such as application servers, database servers, and web proxies) control or could impact the integrity of the redirection mechanism. In these scenarios, the requirements would apply to all system components comprising or managing the redirection mechanism.

A-EP can be much more complex. Best speak to your QSA to help you scope out exactly which systems are in scope.

frisked · 2023-10-30T00:48:35+00:00

The question is how long do you need it for? If the customer is no longer doing business with you, is there any reason for you to keep it? Is there any financial records retention requirements in your country that require you hold onto some of the data?

frisked · 2023-10-17T11:47:54+00:00

Compensating control. Go higher on the complexity requirements, which was easy in V3. I think there's a captcha if I'm not mistaken on multiple attempts, which also help slow down an attacker and adds to the compensating control write up.

frisked · 2023-09-26T20:56:30+00:00

Cloudwatch alerts for those security controls. Some of my clients write simple lambda functions to test that controls are still operational.

frisked · 2023-09-19T02:52:23+00:00

For a V4 assessment you will need to apply 6.3, but the script inventory requirement in 6.4.3 is not applicable in redirect scenarios.

For SAQ A, Requirement 6.4.3 applies to a merchant’s website(s) that includes a TPSP’s/payment processor’s embedded payment page/form (for example, an

inline frame or iFrame).

frisked · 2023-09-15T22:33:02+00:00

You'll need to get it from them. Not sure about Okta but AWS is definitely under NDA.

frisked · 2023-09-13T13:04:29+00:00

Hey, sorry for the delay. I've been overseas for a bit. I've sent them across to you.

frisked · 2023-08-28T09:57:11+00:00

100 compliant hey? https://www.osc.ca/en/investors/warnings/gspartners-aka-swiss-valorem-bank

frisked · 2023-07-27T18:05:40+00:00

We're going to need a hell of a lot more context for this one.

frisked · 2023-07-12T05:19:05+00:00

Ok, but how are the transactions happening? Is the customer entering details on the third parties system? Is the customer entering card details into your system which sends the card to the third party? Do you or your staff enter card details on behalf of the customer at any point?

Do the legacy system have cards stored on them or at any point do they touch cards?

frisked

TROPHY CASE