pci-scope – Page 2 – WindowsTechs.com

SSH and PCI on Insecure, Dirty Side

Posted on April 16, 2021 by talkinggoat

Does current PCI code require SSH connections be restricted to enumerated (specific) client IP addresses on the unsecure, dirty side? Isn’t that outside the scope of the PCI code?

Continue reading SSH and PCI on Insecure, Dirty Side→

file-integrity monitoring tools for PCI compliance

Posted on February 12, 2021 by neubert

A former employer of mine has reached out to me to assist them with PCI certification (I guess I’ll be getting a 1099-NEC from them next year as a result). Here’s the point I’m at in the questionnaire:

File-integrity monitoring tools are … Continue reading file-integrity monitoring tools for PCI compliance→

PCI scope for a Direct-Post e-commerce site (SAQ A-EP)

Posted on January 5, 2021 by J. Lam

An e-commerce site uses the Direct-Post method (see page 14 PCI e-commerce security).
Is the server for the e-commerce application and network it resides on in scope for PCI? There are questions in the SAQ A-EP for servers and networking … Continue reading PCI scope for a Direct-Post e-commerce site (SAQ A-EP)→

What types of businesses are allowed to store SAD and in particular CVV data? [duplicate]

Posted on November 19, 2020 by Lucas Shuck

There must be some kind of business that requires the use of sensitive authentication data (SAD) data. Could someone point me in the right direction on the requirement for the storage of that data?

Continue reading What types of businesses are allowed to store SAD and in particular CVV data? [duplicate]→

KMS with payment HSMin-scope for PCI audit

Posted on August 31, 2020 by Lin Metcalf

If I install a KMS into a PCI environment, the KMS touches the keys of the payment HSM. does the KMS come into scope for a PCI audit.

Continue reading KMS with payment HSMin-scope for PCI audit→

Can biometric vectors (i.e. fingerprint vector) be considered as Sensitive Authentication Data (SAD) in PCI?

Posted on July 29, 2020 by Heshan Perera

I am designing a system that uses a certain biometric vector as a secondary user identification step before authorizing a payment. My system does not handle payment card details, rather the payment card processor consumes my service to aut… Continue reading Can biometric vectors (i.e. fingerprint vector) be considered as Sensitive Authentication Data (SAD) in PCI?→

PCI Compliance – Service Provider vs Merchant

Posted on April 23, 2020 by nullpointer

We will be providing a service to a client, where the end user logged on to our system can submit their payment information to Authorize .Net.

I need help figuring out if we as a service provider need to be PCI Compliant.

We will either … Continue reading PCI Compliance – Service Provider vs Merchant→

What is the difference between a server and an appliance for PCI purposes?

Posted on April 16, 2020 by Peter Turner

I administer a few hundred servers and am going through a yearly PCI audit. This time around we need to prove that we’ve got anti-virus protection on our “systems commonly affected by malicious software (particularly personal computers an… Continue reading What is the difference between a server and an appliance for PCI purposes?→

PCI Idle Session Timeout general question

Posted on February 7, 2020 by Vinny

Can someone help me understand how the PCI Timeout rules change for an application like the Starbucks App? A user is able to keep their card open ready for scan for longer the 15 minutes if needed, but PCI A11y AA also requires to display … Continue reading PCI Idle Session Timeout general question→

PCI DSS Requirement 6 Clarification

Posted on December 24, 2019 by SmallBusDev

I’m hoping to clarify this:

If there is a segmented network and card data is only in one section, do the Section 6 requirements for development apply to the network segment that allows card data? Do any other requirements a… Continue reading PCI DSS Requirement 6 Clarification→