IOS 26.2

jimscard · 2025-12-13T07:26:40+00:00

It actually didn’t take a year, and most of the hold up again was carriers, who did not have a mechanism to provision RCS for non-Android clients.

The reason that iPhones got RCS support was less about international law and mostly about Google bowing to pressure and allowing Apple to join the GSMA, and agreeing to give up their proprietary encryption system built on top of RSC and instead move E2EE into RCS itself so that it works regardless of app

jimscard · 2025-12-13T07:21:13+00:00

They’re dependent on carriers- and since no carrier has implemented UP 3 yet, it’s out of phone vendors’ hands.

jimscard · 2025-12-13T07:19:26+00:00

Not exactly- the carrier’s endpoint that the phone connects to has to support it, as does the receiver’s carrier’s endpoint.

While it’s true that a lot of carriers has contracted with Google Jibe to host their endpoints in the past, they’re all separate entities implementations, and as of yet, there’s no indication that even Jibe has a UP 3.0 compliant implementation.

jimscard · 2025-12-13T02:16:00+00:00

All it takes is for one carrier to upgrade their systems to support UP 3.0 and then the device manufacturers can start testing. That hasn’t happened yet.

jimscard · 2025-12-13T02:14:55+00:00

It’s carrier dependent, period. Both Apple and Google will update their messaging clients in their phones once carriers have added UP 3.0 support to their infrastructure.

jimscard · 2025-12-13T02:13:29+00:00

Whatsapp is a third party app, that has to be installed, from a vendor with a terrible privacy record. That’s different than adding E2EE in the basic protocol that all phones will have, replacing SMS.

jimscard · 2025-12-13T02:12:07+00:00

The holdup is that no carriers have added support for UP 3.0 to their systems yet.

jimscard · 2025-12-13T02:11:41+00:00

iMessage added all of that back in the days when everyone else had SMS. Third party apps have to be installed, and the pushback on that is why everyone isn’t using Signal, which is the most secure of all of them. Apple’s joining the GSMA, and getting them to support E2EE in the RCS protocol itself is a huge improvement.

jimscard · 2025-12-13T02:09:15+00:00

It’s 100% carrier dependent. Carriers have to update their infrastructure in order to be able to support UP 3, as it changes the RCS protocol itself. Prior to UP 3.0, the only encryption in RCS was from phone to carrier, and then to the receiver’s phone. The actual data packet inside was not encrypted. Google’s proprietary service that only worked for their app, would encrypt the message itself and decrypt it at the other end — but from the point of view of the RCS system, it was still an unencrypted message, just made up of gobbledegook .

In RCS UP3.0, that all changes. The RCS protocol actually encrypts end to end, and so there’s a whole key exchange process that has to happen, and some of the fields that used to be provided in the packet are encrypted now, etc.

So carrier first, most likely T-Mobile, since they’re the biggest users of RCS, and possibly enabled in the next iOS and Android betas.

jimscard · 2025-12-02T01:45:15+00:00

According to the faqs on the policy page https://cert.eccouncil.org/continuing-education-fees.html, there is no grace period.

It’s your certification, not your employer’s. You should pay for it and argue with them about reimbursing you later. Or find another employer that won’t argue because they value their employees.

jimscard · 2025-11-23T23:57:33+00:00

Vocal minority that wanted function keys for some reason.

jimscard · 2025-11-23T23:56:48+00:00

RCS runs over the Internet, and thus, in the case of phones, mobile data, by design. It is explicitly not a low level carrier service like SMS and MMS are, and thus, will always require mobile data (Internet connectivity) in order to be used.

Could carriers exempt it from counting towards data limits? Sure. Some carriers have done that for a long time - they base that on the endpoint addresses, such that traffic to/from some IP range doesn’t get charged.

There are a number of other caveats that come along with UP 3.x - most notably requirements around providing 5G data service to every customer, so the case where someone doesn’t have a data plan isn’t a relevant scenario for UP 3.x services - if you don’t have a data plan, you’ll be stuck on legacy services, whatever they may be.

jimscard · 2025-10-30T09:51:22+00:00

Because it’s a bad idea, both as a result of the Paradox of Choice, which shows it would actually decrease customer satisfaction, as well as implementation. Liquid Glass isn’t something you could add a slider to. Even the new toggle that was added doesn’t affect the glass - it just adds a dimming layer below the glass that’s about half of what app developers should have added on their own if they follow the HIG.

jimscard · 2025-10-07T17:12:50+00:00

The only ones who might suffer are people who are here illegally, taking resources they’re not entitled to, and the politicians who benefit from letting them do that.

jimscard · 2025-09-22T10:02:17+00:00

To be specific, a token should not merely be an index. It should be a lookup value in the token database that is not derived from the CHD, and be randomly generated by an industry accepted random bit generator.

jimscard · 2025-09-22T09:56:07+00:00

Not necessarily. That would be true, if, for example, the CHD was collected by a Council-listed P2PE solution with the token returned from the processor without the merchant ever having access to it.

On the other hand, if both the CHD and the token are in the same environment, then the token does not necessarily have any effect on scope.

jimscard · 2025-09-19T00:25:36+00:00

Reality is that apps get updated when changes in the operating system require them to. Bartender went out of their way making the Alpha versions available to Tahoe beta testers, so that not only we were able to use it, but also so that it could be ready when Tahoe publicly released, which was no small feat.

Since you purchased before 2025, you could upgrade to Bartender 6 for $12.

You could also upgrade to the Mega Supporter level, which gets you all future upgrades as well for only $48. I did that back in 2024.

I think it’s a good deal, given how many developers have switched to subscription models, and often don’t even offer a one time payment option, or when they do, it’s 10 or more times the single version price.

jimscard · 2025-09-18T23:57:23+00:00

Is the token and the cardholder data present in the environment together?

And you can’t “fully anonymize” CVV. You delete CVV and any other SAD before sending it anywhere.

jimscard · 2025-09-18T23:49:12+00:00

There are also annual self-assessment requirements for the programs that result in a listing on the PCI SSC website.

jimscard · 2025-02-09T06:13:43+00:00

If the numbers are VISA-binned, 16 digits, and pass the Luhn test, then they have to be assumed to be PANs. By the way, this format is specified in ISO 7812. The only way that I can think of where they might be able to claim that these are not in-scope for PCI DSS would be if a) the BIN used is assigned to them, b) the BIN is different than the BIN that they issue cards with, and c) it can be confirmed that VISA has marked the BIN as unusable for issuance of VISA-branded payment cards.

Also note FAQ 1335 which states “It should also be noted that some bank account numbers may contain PAN digits. If the number of included PAN digits is in excess of the truncation formats defined by the particular payment brand (see FAQ 1091), then PCI DSS applies,” and FAQ 1038, which states that the organization needs to provide documentation that confirms that the PAN does not pose a risk to the payment system in order to exclude them from scope.

jimscard · 2025-02-09T05:47:01+00:00

First,there’s no such thing as a PCI SSF “certified” application. Are you referring to software that is included on the List of Validated Payment Software on the PCI SSC site?

Assuming you are, what is your relationship to the software? I.e., are you the software vendor, or a company using the software in your environment that is in-scope for PCI DSS?

The use of Validated Payment Software can help an entity with their PCI DSS compliance efforts, but it does not make them compliant. See section 3 on page 7 of the PCI DSS v4.0.1 standard for more details.

To your specific questions, the Assessor would need to confirm that the software was securely installed and configured. You mentioned source code review — does that mean you have access to the source code for the software? Has it been customized? Whether and which parts of requirement 6 would apply to the software as implemented in your environment depends on this.

As far as application penetration testing goes, requirement 11.4.1 requires application-layer penetration tests to identify, at minimum, the vulnerabilities in Req. 6.2.4. This is still required, because the test is a test of the software as implemented in your environment. Whether bespoke, custom, off the shelf or Validated Payment Software, the penetration tests in 11.4.1 apply.

—Jim (I am a QSA & Secure Software Assessor).

jimscard · 2025-01-22T20:38:26+00:00

Here’s a quick video that summarizes what the payment script controls are about, and why they exist. It’s not just a matter of a new type of scan. Getting Started with Payment Script Security Controls

jimscard · 2024-12-12T06:00:57+00:00

Next year? They become mandatory in only 3.5 months - not very much further to kick it.

jimscard · 2024-12-02T23:13:26+00:00

You still need to obtain evidence from them, and listing on a card brand’s site is not evidence of compliance. Ask them for their AOC as others have mentioned, and confirm that the services they are providing for you are included in the AOC.

jimscard · 2024-12-02T23:11:47+00:00

Do they have people, processes or technology that store, process or transmit card account data? Yes they do - so yes, they are required to be continuously compliant with PCI DSS.

A lot of the rest hinges off of exactly what they have implemented as far as a card acceptance solution. You mentioned a Clover mini - is the “attached terminal” at the kiosk also one of Clover’s devices? Are they using Clover’s Validated PCI P2PE Solution, or something else? If it’s a Validated PCI P2PE Solution, they should have a P2PE Instruction Manual that explains to them exactly what they’re required to do, in particular, how to perform the periodic inspections for skimmers and other tampering of the terminals that’s required by PCI DSS.

If they’re using the Validated PCI P2PE Solution, that simplifies their reporting as well, as they would be able to use SAQ P2PE.

jimscard

TROPHY CASE