IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [pci-scope]

98 questions
3
votes
2 answers

Can Windows 8 be PCI compliant?

I am in the process of getting PCI. I am in the last step in which I would need a secure PC on my internal network. All the scans I must run are only available through a plugin in browsers for Windows & Mac OS X (not for available for Linux which is…
ackuser
  • 159
  • 3
3
votes
1 answer

What are the differences between DIACAP and RMF?

I am currently certifying systems (products) under DIACAP (DoD Information Assurance Certification and Accreditation Process). In the future we will need to use RMF (Risk Management Framework). What are the key differences between these two…
Lindsay Morsillo
  • 175
  • 9
3
votes
1 answer

Does PCI compliance require a DRP even if we don't store card data?

Our company does not store any credit card details. We are storing it in a cloud platform which is already PCI compliant. We just require to access the cloud portal from our company. I understand we need to be PCI compliant as well. Are we required…
PCIrs
  • 307
  • 1
  • 3
  • 12
3
votes
2 answers

Backup procedure for PCI

Our company is does not store any credit card details but we do transmit them. We are storing it in a cloud platform which is already PCI compliant. We just require to access the Cloud portal from our company. I understand we need to be PCI…
PCIrs
  • 307
  • 1
  • 3
  • 12
3
votes
1 answer

Handling unencrypted HTTP data for a PCI compliant system - in scope for PCI DSS v3 but not v2?

We currently have a custom, cloud based application that can analyse then route HTTP and HTTPS traffic through to a domain. So if a client wants to use our service, they re-point their DNS to our application's IP address and our application will…
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
3
votes
2 answers

If am using Stripe am I SAQ A-EP in PCI V3

We are going through the PCI process at the moment and because v2 goes out of date on December 2014, I opted to use PCI v3. Because with Stripe you put the form inside your application and post to them, does that mean I need to go down PCI SAQ A-EP…
OliverBS
  • 445
  • 5
  • 14
3
votes
2 answers

PCI-DSS Is the infrastructure really in-scope?

Say I have an application that takes credit cards, but this is actually a payment gateway on the internet that I don't control. The web site used HTTPS and only returns if the card was authorized or not and stores the last 4 digits of the PAN. …
Justin
  • 133
  • 4
3
votes
1 answer

Is it OK to generate a token for a credit card without the user's permission? Is that PCI compliant?

Is it PCI compliant to generate a token for every card used for processing, regardless of whether the client asked for his card to be saved or not?
Wael Awada
  • 145
  • 5
3
votes
0 answers

PCI Idle Session Timeout general question

Can someone help me understand how the PCI Timeout rules change for an application like the Starbucks App? A user is able to keep their card open ready for scan for longer the 15 minutes if needed, but PCI A11y AA also requires to display a message…
Vinny
  • 31
  • 2
3
votes
2 answers

SAQ-D Service Provider without a CDE

We provide a shopping cart service with integrations to multiple third party payment processors (PayPal, Authorize.net, etc.) where all payment processing happens on their networks (i.e., no CC data enters our networks). Some of our prospects have…
William Jens
  • 163
  • 5
3
votes
1 answer

PCI scope when entering card details into browser

Suppose I have an ecommerce web site, hosted in Azure (or AWS). I will use a third party payment gateway that is fully certified as PCI level 1. All communication is done with TLS 1.1 or better. Scenario A: During checkout, a page is presented that…
richb
  • 133
  • 4
3
votes
1 answer

Can Revolut be PCI DSS compliant?

Basically, the Revolut app shows the PAN and CVV by default in-app and it has a "show PIN" option, how can this be compliant? Here's a screenshot from the app, I have seen the real app and it really renders PAN, CVV and PIN. Update 1 One of the…
bbozo
  • 503
  • 5
  • 18
3
votes
2 answers

Secure online credit card payment on a delayed time scale

I'm in charge of security for a small online store that wishes to request credit card information, but not actually charge the customer until approximately a month after the purchase - this cannot be avoided. However, it seems to be a nightmare…
Everyone_Else
  • 133
  • 4
3
votes
1 answer

SSL terminates on webserver instead of load balancer. PCI compliance question

We have a website that processes credit card data and uses a load balancer for our two web servers. The SSL connection terminates on the webservers and not the load balancer. Is the load balancer in scope for PCI?
welladj
  • 31
  • 1
3
votes
4 answers

How to be PCI compliant with Shopkeep (and others)?

When I walk into some businesses, I see them using Shopkeep on an iPad. I don't understand how this is PCI compliant, as the iPad itself would be in scope, and it can send unconstrained traffic to the internet. Having any device running a full OS…
ToBeReplaced
  • 223
  • 1
  • 4
1
2
3 4 5 6 7