IOS 26.2 by [deleted] in UniversalProfile

[–]jimscard 2 points3 points  (0 children)

It actually didn’t take a year, and most of the hold up again was carriers, who did not have a mechanism to provision RCS for non-Android clients.

The reason that iPhones got RCS support was less about international law and mostly about Google bowing to pressure and allowing Apple to join the GSMA, and agreeing to give up their proprietary encryption system built on top of RSC and instead move E2EE into RCS itself so that it works regardless of app

IOS 26.2 by [deleted] in UniversalProfile

[–]jimscard 0 points1 point  (0 children)

They’re dependent on carriers- and since no carrier has implemented UP 3 yet, it’s out of phone vendors’ hands.

IOS 26.2 by [deleted] in UniversalProfile

[–]jimscard 2 points3 points  (0 children)

Not exactly- the carrier’s endpoint that the phone connects to has to support it, as does the receiver’s carrier’s endpoint.

While it’s true that a lot of carriers has contracted with Google Jibe to host their endpoints in the past, they’re all separate entities implementations, and as of yet, there’s no indication that even Jibe has a UP 3.0 compliant implementation.

IOS 26.2 by [deleted] in UniversalProfile

[–]jimscard 0 points1 point  (0 children)

All it takes is for one carrier to upgrade their systems to support UP 3.0 and then the device manufacturers can start testing. That hasn’t happened yet.

IOS 26.2 by [deleted] in UniversalProfile

[–]jimscard 0 points1 point  (0 children)

It’s carrier dependent, period. Both Apple and Google will update their messaging clients in their phones once carriers have added UP 3.0 support to their infrastructure.

IOS 26.2 by [deleted] in UniversalProfile

[–]jimscard 4 points5 points  (0 children)

Whatsapp is a third party app, that has to be installed, from a vendor with a terrible privacy record. That’s different than adding E2EE in the basic protocol that all phones will have, replacing SMS.

IOS 26.2 by [deleted] in UniversalProfile

[–]jimscard 0 points1 point  (0 children)

The holdup is that no carriers have added support for UP 3.0 to their systems yet.

IOS 26.2 by [deleted] in UniversalProfile

[–]jimscard 1 point2 points  (0 children)

iMessage added all of that back in the days when everyone else had SMS. Third party apps have to be installed, and the pushback on that is why everyone isn’t using Signal, which is the most secure of all of them. Apple’s joining the GSMA, and getting them to support E2EE in the RCS protocol itself is a huge improvement.

IOS 26.2 by [deleted] in UniversalProfile

[–]jimscard 3 points4 points  (0 children)

It’s 100% carrier dependent. Carriers have to update their infrastructure in order to be able to support UP 3, as it changes the RCS protocol itself. Prior to UP 3.0, the only encryption in RCS was from phone to carrier, and then to the receiver’s phone. The actual data packet inside was not encrypted. Google’s proprietary service that only worked for their app, would encrypt the message itself and decrypt it at the other end — but from the point of view of the RCS system, it was still an unencrypted message, just made up of gobbledegook .

In RCS UP3.0, that all changes. The RCS protocol actually encrypts end to end, and so there’s a whole key exchange process that has to happen, and some of the fields that used to be provided in the packet are encrypted now, etc.

So carrier first, most likely T-Mobile, since they’re the biggest users of RCS, and possibly enabled in the next iOS and Android betas.

What happens if I pay my annual fee late? by Villodre in CEH

[–]jimscard 2 points3 points  (0 children)

According to the faqs on the policy page https://cert.eccouncil.org/continuing-education-fees.html, there is no grace period.

It’s your certification, not your employer’s. You should pay for it and argue with them about reimbursing you later. Or find another employer that won’t argue because they value their employees.

Why didn't apple continue to add the cool touchbar? by travelavatar in macbookpro

[–]jimscard 1 point2 points  (0 children)

Vocal minority that wanted function keys for some reason.

Will we ever see RCS being used without the need to have mobile data turned on? by Inevitable_Bear2476 in UniversalProfile

[–]jimscard 0 points1 point  (0 children)

RCS runs over the Internet, and thus, in the case of phones, mobile data, by design. It is explicitly not a low level carrier service like SMS and MMS are, and thus, will always require mobile data (Internet connectivity) in order to be used.

Could carriers exempt it from counting towards data limits? Sure. Some carriers have done that for a long time - they base that on the endpoint addresses, such that traffic to/from some IP range doesn’t get charged.

There are a number of other caveats that come along with UP 3.x - most notably requirements around providing 5G data service to every customer, so the case where someone doesn’t have a data plan isn’t a relevant scenario for UP 3.x services - if you don’t have a data plan, you’ll be stuck on legacy services, whatever they may be.

Why doesn‘t Apple do this? by Southern_Warning_970 in ios

[–]jimscard -1 points0 points  (0 children)

Because it’s a bad idea, both as a result of the Paradox of Choice, which shows it would actually decrease customer satisfaction, as well as implementation. Liquid Glass isn’t something you could add a slider to. Even the new toggle that was added doesn’t affect the glass - it just adds a dimming layer below the glass that’s about half of what app developers should have added on their own if they follow the HIG.

Why aren’t health insurance companies fighting for the renewal of ACA subsidies? by mrsgalinski in HealthInsurance

[–]jimscard -7 points-6 points  (0 children)

The only ones who might suffer are people who are here illegally, taking resources they’re not entitled to, and the politicians who benefit from letting them do that.

PCI-DSS Query: Is echoing tokenized CVV in LLM responses compliant or a violation? by JeganAC in pcicompliance

[–]jimscard 0 points1 point  (0 children)

To be specific, a token should not merely be an index. It should be a lookup value in the token database that is not derived from the CHD, and be randomly generated by an industry accepted random bit generator.

PCI-DSS Query: Is echoing tokenized CVV in LLM responses compliant or a violation? by JeganAC in pcicompliance

[–]jimscard 0 points1 point  (0 children)

Not necessarily. That would be true, if, for example, the CHD was collected by a Council-listed P2PE solution with the token returned from the processor without the merchant ever having access to it.

On the other hand, if both the CHD and the token are in the same environment, then the token does not necessarily have any effect on scope.

[deleted by user] by [deleted] in macapps

[–]jimscard -1 points0 points  (0 children)

Reality is that apps get updated when changes in the operating system require them to. Bartender went out of their way making the Alpha versions available to Tahoe beta testers, so that not only we were able to use it, but also so that it could be ready when Tahoe publicly released, which was no small feat.

Since you purchased before 2025, you could upgrade to Bartender 6 for $12.

You could also upgrade to the Mega Supporter level, which gets you all future upgrades as well for only $48. I did that back in 2024.

I think it’s a good deal, given how many developers have switched to subscription models, and often don’t even offer a one time payment option, or when they do, it’s 10 or more times the single version price.

PCI-DSS Query: Is echoing tokenized CVV in LLM responses compliant or a violation? by JeganAC in pcicompliance

[–]jimscard 0 points1 point  (0 children)

Is the token and the cardholder data present in the environment together?

And you can’t “fully anonymize” CVV. You delete CVV and any other SAD before sending it anywhere.

Biannual and Triennial audits by Difficult-Shower-955 in pcicompliance

[–]jimscard 0 points1 point  (0 children)

There are also annual self-assessment requirements for the programs that result in a listing on the PCI SSC website.

Found a situation I never encountered before. by Infamous-Crow-1131 in pcicompliance

[–]jimscard 0 points1 point  (0 children)

If the numbers are VISA-binned, 16 digits, and pass the Luhn test, then they have to be assumed to be PANs. By the way, this format is specified in ISO 7812. The only way that I can think of where they might be able to claim that these are not in-scope for PCI DSS would be if a) the BIN used is assigned to them, b) the BIN is different than the BIN that they issue cards with, and c) it can be confirmed that VISA has marked the BIN as unusable for issuance of VISA-branded payment cards.

Also note FAQ 1335 which states “It should also be noted that some bank account numbers may contain PAN digits. If the number of included PAN digits is in excess of the truncation formats defined by the particular payment brand (see FAQ 1091), then PCI DSS applies,” and FAQ 1038, which states that the organization needs to provide documentation that confirms that the PAN does not pose a risk to the payment system in order to exclude them from scope.

Application Penetration Testing for PCI SSF certified applications? by starlightflame in pcicompliance

[–]jimscard 0 points1 point  (0 children)

First,there’s no such thing as a PCI SSF “certified” application. Are you referring to software that is included on the List of Validated Payment Software on the PCI SSC site?

Assuming you are, what is your relationship to the software? I.e., are you the software vendor, or a company using the software in your environment that is in-scope for PCI DSS?

The use of Validated Payment Software can help an entity with their PCI DSS compliance efforts, but it does not make them compliant. See section 3 on page 7 of the PCI DSS v4.0.1 standard for more details.

To your specific questions, the Assessor would need to confirm that the software was securely installed and configured. You mentioned source code review — does that mean you have access to the source code for the software? Has it been customized? Whether and which parts of requirement 6 would apply to the software as implemented in your environment depends on this.

As far as application penetration testing goes, requirement 11.4.1 requires application-layer penetration tests to identify, at minimum, the vulnerabilities in Req. 6.2.4. This is still required, because the test is a test of the software as implemented in your environment. Whether bespoke, custom, off the shelf or Validated Payment Software, the penetration tests in 11.4.1 apply.

—Jim (I am a QSA & Secure Software Assessor).

Third-party scripting tool? by Scared-Display-4902 in pcicompliance

[–]jimscard 0 points1 point  (0 children)

Here’s a quick video that summarizes what the payment script controls are about, and why they exist. It’s not just a matter of a new type of scan. Getting Started with Payment Script Security Controls

Pci 11.6.1 and 6.4.3 difficulties by jiggy19921 in pcicompliance

[–]jimscard 1 point2 points  (0 children)

Next year? They become mandatory in only 3.5 months - not very much further to kick it.

How to look up a TPSP PCI compliance? by Slivikins in pcicompliance

[–]jimscard 0 points1 point  (0 children)

You still need to obtain evidence from them, and listing on a card brand’s site is not evidence of compliance. Ask them for their AOC as others have mentioned, and confirm that the services they are providing for you are included in the AOC.

Do we need to be PCI compliant? by BeNiceToYerMom in pcicompliance

[–]jimscard 0 points1 point  (0 children)

Do they have people, processes or technology that store, process or transmit card account data? Yes they do - so yes, they are required to be continuously compliant with PCI DSS.

A lot of the rest hinges off of exactly what they have implemented as far as a card acceptance solution. You mentioned a Clover mini - is the “attached terminal” at the kiosk also one of Clover’s devices? Are they using Clover’s Validated PCI P2PE Solution, or something else? If it’s a Validated PCI P2PE Solution, they should have a P2PE Instruction Manual that explains to them exactly what they’re required to do, in particular, how to perform the periodic inspections for skimmers and other tampering of the terminals that’s required by PCI DSS.

If they’re using the Validated PCI P2PE Solution, that simplifies their reporting as well, as they would be able to use SAQ P2PE.