IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [pci-scope]

98 questions
2
votes
4 answers

Would user workstations be considered part of the PCI-DSS CDE when collecting cardholder data using a secure portal

Supposing I had an office full of call centre operators, who sometimes update customers payment details by way of receiving these over the phone and then keying them into a secure web application, which stores the data securely in the "real" CDE.…
Nemec
  • 43
  • 1
  • 9
2
votes
1 answer

Can a non-PCI Compliant Service Provider provide SAQ A-EP compliance?

I am trying to find clarification regarding PCI Compliance SAQ A-EP and third party hosting solutions. In order to achieve SAQ A-EP PCI Compliance using "Hosting Company A" is it necessary for "Hosting Company A" to be a Certified PCI Compliant…
another-joe
  • 21
  • 1
2
votes
2 answers

Risks of using a webpage without SSL/TLS for donations

There is a site called www.mysite.com. It uses Qgiv for taking donations and has some HTML5 data-attributes like:
data-qgiv-embed="true" data-embed-id="1" data-embed="https://secure.qgiv.com/"…
Chris H
  • 23
  • 3
2
votes
1 answer

PCI Scope, Tokens, and Processor APIs

A merchant receives a processor provided payment token in response to an authorization from an online order (for the sake of this question assume this part of the process has all its PCI t-s crossed and i-s dotted). Next the order is processed by…
Mark E
  • 61
  • 1
  • 2
1
vote
0 answers

PCI process, how to solve mambo vulnerability CVE 2006-0871 on debian 8?

I am involved in the process of becoming pci-dss compliant. I am really close to get it although I am having this vulnerability on the server when I am doing an external scan. Does someone know how to solve it?
ackuser
  • 159
  • 3
1
vote
2 answers

PCI-DSS, what is the best distro?

What is the best distro of Linux to get PCI-DSS compliant? I am using Debian 8 because I think Debian is one of the most stable versions, but it seems not to be enough, I am struggling with a lot of vulnerabilities. Furthermore, if anyone could post…
ackuser
  • 159
  • 3
1
vote
1 answer

Can we use same Active directory / Proxy servers for PCI and Non PCI Segment users?

Can we use the same AD server for both PCI VLAN user and Non PCI VLAN users? How about proxy, we have a Proxy but both PCI and Non PCI user's traffic are flowing through those Proxy. But we have segmented the VLAN for both PCI and Non PCI users Is…
PCIrs
  • 307
  • 1
  • 3
  • 12
1
vote
1 answer

PCI DSS - Recorded Phone Conversations

I am using the using the following image from FishNet Security as a sort of guide for the data flow diagram required by PCI DSS as defined by: 1.1.3 Current diagram that shows all cardholder data flows across systems and networks Let's say…
Elias
  • 113
  • 5
1
vote
2 answers

Shared Database and PCI Compliance

Say we have a cloud based web application which is SaaS. This application is to be made PCI compliant as a service provider, as client card data passes through the application. This application uses a database for its configuration…
SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
1
vote
1 answer

TrustWave PCI Compliance - OpenSSH

First time 'asker' on here, but wanted to say thanks to how much I've used this site and reading answers to questions I've had! Anyway, lately I've been having issues with a customer of ours who's server is failing the PCI Compliance scan from…
oinkerz
  • 13
  • 5
1
vote
1 answer

PCI Compliance relating to 'other' passwords

I see PCI compliance related only to password security, as far as storage and transmission goes, for user names and email accounts. How does this relate to passwords for programs that run on a PCI compliant machine? For instance: Someone…
Anthony Miller
  • 257
  • 1
  • 8
1
vote
3 answers

PCI Definition of "Transmission"

I am working at a company that is PCI compliant, but I believe they have interpreted some of the requirements incorrectly. Because of this, they are laboring to create work-arounds which I suspect are not necessary. Specifically, I am wondering…
lipidfish
  • 15
  • 4
1
vote
1 answer

Data Protection act, who is liable?

Recently, a large UK shopping chain had the staff payroll database leaked (including bank details, all unencrypted) We've been told that we cannot take legal action and have so far been denied compensation as although our data was stolen, it wasn't…
user42073
  • 29
  • 3
1
vote
1 answer

PCI approved device, does it matter if my POS is PCI compliant if it just passes info to the gateway and does not store the encrypted card data?

If my Hardware device is on the PCI list from here https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php Does my POS need to be PCI compliant since the POS cannot unencrypt the data since it is a…
user41386
  • 11
  • 2
1
vote
3 answers

Encryption of PCI data, and PCI-DSS scoping

I read another question which made me think... If you encrypt PCI data (credit card numbers, etc.) using PGP or AES and send it through a firewall, is that firewall in scope? Alternatively, what if you only use a data-in-motion security mechanism…
JZeolla
  • 2,936
  • 1
  • 18
  • 25
1 2 3
4
5 6 7