What Everybody Ought to Know About PCI DSS and PA-DSS

David Grazio

Wed, 23rd July 2014


Speaker Bio 1:
David Grazio- Director of Channels, North America for Security Innovation

Learning Objectives:

David Grazio will explain:

  • Important updates to the PCI DSS and the Payment Application Data Security Standard (PA-DSS)
  • How to comply with the training requirements of PCI DSS, protect cardholder data, avoiding social engineering and malicious downloads and how to update software & anti-virus programs.
  • Learn best password practices, email & browser security, mobile device & tablet security, social media safety and physical security.
  • Learn how to be secure while working remotely

Resources and materials:


Questions and answers

Max, Concise Courses:
As a small merchant do we have to have a “PCI DSS compliance certificate” and what exactly is that?

David Grazio:
That is part of the PCI DSS 3.0 Standard. There is the need to conduct annual security awareness training, and if you look at the package solutions that are out there at the moment, in most cases, as you go through those training programs there is a certificate that you can get upon completion of the training that would show that you are in compliance.


Max, Concise Courses:
As a security conscious individual freaked out by privacy my advice is to use pre-paid visa cards so if your credit card numbers are hacked you are safe. Just my two cents.

David Grazio:
That is a good point! Our credits cards and debit cards all get used so much [currently]. If you work in Security then it can become habitual to check that your receipt only has the last four digits on it. It’s little things like that that companies don’t realize or take that extra step regarding how important it is.


Max, Concise Courses:
What are the most common types of credit card fraud and how does PCI DSS address that fraud?

David Grazio
Not knowing specifics, but anytime someone gets hold of your credit card information there is a lot of different ways that that [theft] can happen. I myself was a victim of it – someone had used my debit card with a particular merchant and they started making purchases. One thing to notice is if you see a website [shopping cart] that does not ask for the last three digits then they are often the primary target for cyber criminals. Walmart previously did not have the three digit security code field required when making an online purchase – that is an easy way to get around security. Where that is relevant within the PCI DSS Standard is not just looking at the identification but in some of the rememdiation but also in the reporting as well, so that is where you want to take a look at, so, if an incidence does take place then it will be reported to the right authorities and that that information is sent back to the PCI Console so that they can be aware of it.


Max, Concise Courses:
How does PCI Standards apply in regards to storing and transmitting data when call centers/ IVR’s are involved?

David Grazio:
I dont have the specifics with respect to the Call Centers and IVR’s where the standard are concerned. However, I do know that in general when we are talking about payment card information over the phone you want to make sure that all the information is captured correctly especially the security code on the back of the card. Also what is important is that once the data is sent between vendors, merchants and issuing banks that there is always the right level of encryption – so that your account is never open to be compromised so there is always the right level of encryption.