Collaborate Disseminate
Many schools and workplaces require people using their internet to first install a root certificate, so that web traffic passing through their system can be decrypted and checked.
If someone makes an online purchase while connected to thei… Continue reading Do TLS interceptors that use root certificates to inspect traffic need to worry about PCI? [closed]
I have an app where a person enters their card number, the cardholder’s name, the expiration date and the cvv. I am now making it pci/dss-compliant. I will store the card number in an encrypted way. Can I store the cardholder’s name the pe… Continue reading Does PCI/DSS allow storing the cardholder’s name a person entered (and not the real one)
Version 4.0.1 of the Payment Card Industry Data Security Standard (PCI DSS), which came into effect back in April, incorporates a few important changes to make it fit for the modern digital world, addressing how technologies, the threat landscape and p… Continue reading Complying with PCI DSS requirements by 2025
Hypothetical:
Company A accepts credit card payments and must be PCI compliant.
Company B provides domain registration (but not DNS or web hosting) services to Company A.
Some of these domains are used by Company A to accept credit card d… Continue reading Would a domain registrar be considered a Service Provider for PCI compliance if it never touches its customer’s card holder data?
This Q pertains to PCI DSS v4.0 SAQ A – previous Q&A only touched on previous versions of PCI.
Since 4.0, merchants that accept credit card payment, even if they only iframe or link to their payment provider and the rest is done on the… Continue reading PCI DSS SAQ A qualification – what counts as a ‘found’ vulnerability?
We are a medium sized organization and use Payment Service Providers for all purchases, including credit card and non-credit card purchases. We get yearly audits and our internal payments platform is fully PCI SAQ-A EP compliant.
We are lo… Continue reading PCI-DSS Scope – How to determine client scope segmentation
Payment facilitators like Stripe provide card payment terminals to their customers. These devices must be periodically inspected, per requirement 9.5.1.2. How does the payment facilitator handle this, given that they don’t have physical ac… Continue reading How do payment facilitators like Stripe handle the PCI DSS requirement to periodically inspect POI devices?
I have established that my business needs to complete a PCI DSS SAQ-D form for attesting PCI compliance… twice – once as a merchant and once as a service provider!
Even completing it once is a substantial undertaking, considering the siz… Continue reading Practical advise on completing PCI DSS SAQ [closed]
I’m evaluating a contract management software that claims PCI compliance for my CC data. However, I am going to use the software to issue contracts to my customers where they directly enter credit card information within contracts, which a… Continue reading PCI Compliance for Contract Management Software with User-Entered Card Data
What type of PCI 4.0 Assessment are Service Providers doing when they have no CDE, they do not accept or process credit cards, but instead use another service provider for those services?
Continue reading PCI 4.0 Assessment for Service Provider that doesn’t have a CDE