A PABP compliance press release that raises some concerns…

While scanning though my RSS feeds this morning (Which I have neglected in the past few weeks), I ran into a PABP product release. Let me just include the relevant portions here and not list the company name.

_______________ is a PCI PABP v1.4 (Payment Application Best Practices) validated payment application, Visa USA accepted _______________ as validated based on the review by Trustwave, a well known QSR. _______________ runs on Windows 98 through Windows Vista and supports _________________________________________________________.

Two things that struck me.

  • Trustwave is a QSA ( actually PA-QSA in this role) not a QSR – (Quick Service Restaurant ? )
  • Windows 98 ?  Windows 98 is not secure, and is at End-of-Life (July 2006), does not receive new security patches, and is not something that I would recommend to anyone implementing a new payment application.

How can a a payment application be PABP compliant on an non-secure, not supported, EOL’ed OS ? Interesting….

1 Comments

  1. I have seen alot worse from Trustwave then approving Windows 98 systems with cardholder data. Several databases containing unencrypted cardholder data, sensitive authentication data stored post authorization, no working processes and routines and so on is not uncommon to have passed an audit by Trustwave. I have a friend that has performed alot of forensic investigations regarding card fraud and none of them have been even close to compliant and Trustwave was the assessor in all cases. It might just be a coincidence that Trustwave have come up in these cases but I belive the QSA’s needs to step up if PCI DSS is gonna survive.

Leave a Comment.