Profile
Location
London
Member since
2008
Reads
Writes about
Michael Kyritsis

Michael Kyritsis

Lead Solution Consultant at ACI
Message Message me Posts: 0 Comments: 20

Michael is Commenting on

Firms still struggling with PCI DSS compliance

  @Ketharaman: Migration of an onprem system to the cloud would give a retailer very few benefits, but the PCI DSS standards do cater for it in Appendix A “Additional PCI DSS Requirements for Shared Hosting Providers”. It contains this note: Even though a hosting provider may meet these requirements [separation of entities, and physical security measures], the compliance of the entity that uses the hosting provider is not guaranteed. Each entity must comply with the PCI DSS and validate compliance as applicable. In answer to your question Amazon / Microsoft cannot make the retailer's payment system complaint with PCI-DSS, they can only provide a data centre the has the necessary requirements for the retailer to achieve PCI-DSS. In our experience the overwhelming majority of retailers have already moved, or are looking to move, to a SaaS solution because they don’t want to be burdened with the technical requirements of security, compliance with the card scheme mandates, etc. @Rodney: my thoughts on what is now "fit for purpose" today is to separate CNP from card-present. Why is the same PAN embossed on the card, encoded in the magstripe, and in the CHIP? If they were 3 different numbers (all linked to the same account) a retailer could decide to accept EMV only (in those markets where it is already very well established) and any data passing through the payments system would be useless to fraudsters trying to create counterfeit cards or do fraudulent CNP transactions.