Questions tagged [pci-scope]
98 questions
14
votes
1 answer
Can I use GitHub and be PCI DSS compliant?
Is it possible to use any remote DVCS (GitHub, Bitbucket, etc.) with PCI DSS or should I host Git on my own server?
iwex
- 243
- 2
- 6
12
votes
4 answers
How does collecting sensitive data using iframes increase security?
So this approach seems to be rather popular, particularly among payment processors that provide javascript integrations.
The added layer of security that "fields in iframe" brings also supposedly reduces the level of PCI compliance…
Acorn
- 222
- 2
- 7
7
votes
5 answers
Can I show Credit Card Data to final customers and be PCI Compliant?
I work with reservation management syatems. In the hospitality industry there is the concept of credit card as guarantee. By it when making any kind of reservation you are asked for your credit card info in order to secure the reservation, however…
jvlucic
- 83
- 1
- 5
7
votes
1 answer
Which self assessment questionairre should I use for PCI DSS compliance
My system is passed card data securely over HTTPS from an upstream system. The upstream system captures information via telephone input. This telephone input is sent to us, to invoke payments via Paycorp's API (Paycorp is PCI compliant). The up…
Sim
- 173
- 5
6
votes
2 answers
Clarification of PCI DSS 3.1 requirement 6+8
I'm quite puzzled about the PCI requirements when it comes to session timeouts and scope definitions.
The login is the end user/customer login to the public facing control panel in which they can handle their own transactions. We act as PSP. The…
Jeffery
- 61
- 1
- 2
5
votes
2 answers
Source code scanning - PCI Requirement - Service Provider
I've been doing a lot of research regarding the requirements for source code scanning but haven't found anything conclusive when it comes to my question below. So I need some guidance from PCI Experts here in StackExchange's Info Sec community.
Is a…
avakharia
- 103
- 8
5
votes
1 answer
PCI-DSS Network Segmentation and encrypted administrative interfaces
I'm using the 3/2/1 network segmentation model from the open pci dss scoping toolkit and I'm running into a bit of a mental roadblock. I have a phone system (Mitel 5000 series, if it matters) that is on my segmented internal network.
The phone…
Tim Brigham
- 3,762
- 3
- 29
- 35
4
votes
3 answers
PCI DSS - only one primary function per server
The PCI DSS says that a server can have only one primary function and i'm a little confused over what it means by 'one primary function'
we have a webserver with database - web pages and email
is this a breach of the rules? because just about all…
user1398287
- 161
- 1
- 4
4
votes
1 answer
PCI compliance with multiple AWS VPCs
If I have VPC which is in-scope (the "PCI VPC") and another which is not (the "NON-PCI VPC"), would peering them bring the non-pci vpc in-scope? Is there a way to avoid this?
I have an aurora RDS inside the PCI VPC. It does not actually contain…
Ian Buffington
- 41
- 3
4
votes
1 answer
When to complete PCI DSS Compliance Paperwork
I am working for a startup that will soon begin processing payments with Stripe.
Looking at their documentation, it seems we will have to file an SAQ A, SAQ A-EP, or an SAQ D depending on our integration method.
How soon will we need to submit one…
0xPingo
- 143
- 4
4
votes
2 answers
Are client-side-only apps regulated by PCI?
Consider a client-side-only application. It may allow a user to make a payment by redirecting them to payment gateway website, where they enter the credit card details. If I understand correctly, in this case only the payment provider must be PCI…
interphx
- 141
- 2
4
votes
2 answers
PCI DSS Storage Definition - BizTalk Consideration
I am having trouble locating a clear PCI DSS definition for "Storage" and wether or not Microsoft BizTalk could be considered within that definition. Could an overloaded BizTalk server or failed orcestration constitute storage even if only…
SystemObject
- 41
- 1
4
votes
1 answer
If my company receives credit card statements showing credit card number, does it have to be PCI compliant?
I understand PCI requirements on the storing, processing and transmitting of credit card information (PAN, expiration date, no on CVV, etc.).
However, I found nothing about receiving PAN (no expiration date, no cvv, etc.) ON document format (PDF).…
striders
- 43
- 3
4
votes
1 answer
Store PCI DSS data in an encrypted form in non PCI DSS scope
Am I allowed to save a strongly encrypted archive containing the CHD on an external storage which is outside our PCI-DSS infrastructure ?
For example, we'd like to save an encrypted backup archive for last resort purpose on a server which is hosted…
BitLegacy01
- 75
- 3
4
votes
1 answer
ASV scan with reverse proxy
We are PCI compliant as a service provider, however our service port forwards some web traffic at TCP level.
Customers use our PCI compliant service and can choose to upload a TLS/SSL certificate to us if they want their HTTPS traffic analysed. So…
SilverlightFox
- 33,408
- 6
- 67
- 178