By PCIGuru

For those of you looking for my posts grouped into a series based on topic, here is your page.

Network Segmentation Series

Multi-Protocol Labeled Switching (MPLS) Series

Cloud Series

Encryption Series

Europay/MasterCard/Visa (EMV)

Pre-Authorization Data

Mobile Payments

Point To Point Encryption (P2PE)

Scoping Of The Cardholder Data Environment (CDE)


9 Responses to “Post Series References”

  1. 1 JAMiller
    October 12, 2020 at 1:07 PM

    Hi PCIGuru,
    Thanks for all your advise and keep us updates from this site. The company has had an increase in mergers and acquisitions over the last two year and there is a need to consolidate the multiple payment processors and work with a single payment gateway. We hope to receive savings from this consolidated effort. However, what area of concern should I watching for as we consolidate? The goal is to modify the applications to re-direct the customer and use the payment processors customized payment page. As we begin to consolidate to use one payment gateway, does the transaction count come from the number used for each merchant ID or total number of transaction for all merchant ids that include the parent + subsidiaries?


    • October 13, 2020 at 6:51 AM

      Back in the “good old days” of PCI, the banks and processors had no idea of total transaction volumes for a given entity that had been created by M&A activities and multiples of MIDs. However, that all changed probably around six to eight years ago and that is no longer the case. All the players know close to every entity’s total transactions volumes regardless of number of MIDs.

      The key thing to watch for though is ensuring that every business unit properly implements the re-direct. I have encountered too many organizations where they claim it was done consistently only to find some BUs that used JavaScript or something other than a re-direct.

  2. 3 Masood
    September 26, 2018 at 1:21 AM

    A client has merchant portal which is accessed by merchants to view transactions but there is no card data related detail viewed through that portal, though the transaction details are extracted from Payment gateway database. Merchant use merchant id, username and password to login the portal. Does 2FA apply to this portal or it can be excluded from 2FA requirement of remote access?

    • September 26, 2018 at 8:03 AM

      Requirement 8.3.2 states, “Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.” The scenario you present would be considered remote access so MFA is required.

  3. 5 Masood
    July 16, 2018 at 7:05 AM

    Hello Guru, thanks for your responses and guidance. Please advise that if we have one enterprise firewall that is facilitating both PCI and non-PCI zones then for firewall ruleset review requirement do we require to only review the rules related to PCI zone or all the rulesets are required to be reviewed?

    • July 16, 2018 at 5:39 PM

      All the rule sets will need to be reviewed to ensure that the non-PCI rules do not create segmentation issues with your PCI zone. That will be further confirmed by your penetration test.

  4. 7 shiva
    September 16, 2015 at 7:52 AM

    Hi Guru,

    I am looking on log management configuration to meet PCI DSS requirmnet on QRadar

    We have QRadar device for log management and we to couple of PCI DSS device for this we need set rules in line with PCI DSS , So could you please advice us which are rules need set in QRadar to monitor.

    If you have any documente share us

    • September 19, 2015 at 6:30 AM

      If I shared every little tidbit of my knowledge, I would have nothing with which to make a living as an information security consultant. So while I do have such information, I only share it with my clients through consulting engagements when I am paid to share it.

  5. September 24, 2013 at 3:58 AM

    Have you ever thought about publishing an ebook or guest authoring on other blogs? I have a blog centered on the same subjects you discuss and would really like to have you share some stories/information. I know my audience would enjoy your work. If you are even remotely interested, feel free to shoot me an e-mail.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

March 2023

%d bloggers like this: