1

Not completely au fait with PCI compliance, however we have our server checked each month by our host to check it is PCI compliant, because we have to keep it PCI Compliant for a specific customer/service that we have running on it.

We have another service on the same server/system that creates images containing customer data (name/address)

We want those images to be accessible in another system's template... the third party system is secure (SSL cert). How do we make the images available without breaking PCI compliance ? Eg. We want to allow the other system to do something like this : http://oururl.com?user=1&password=hashedpasshere&labelId=552

If we did that would we be breaching PCI compliance ? Any alternative solutions or thoughts are extremely welcome...

Thanks

Clarification It's actually the same service that has different components, sorry for the miss-explanation.

Mark
  • 111
  • 3
  • 2
    Sounds like you may already be having trouble with [PCI 2.2.1](http://security.stackexchange.com/questions/25604/pci-dss-one-application-per-server). In any case generally you want to keep your PCI scope as small as possible, which would imply you don't want anything running in your CDE that doesn't stricly need to be. – bobince Oct 01 '13 at 08:00
  • Could you clarify, it sounds like the "images containing customer data" are for customer data that's _unrelated_ (for another customer?) to the "specific [PCI compliant] customer/service"? If so, ++vote for what @bobince said about violating 2.2.1. – gowenfawr Oct 01 '13 at 14:14

0 Answers0