Questions tagged [pci-scope]
98 questions
2
votes
4 answers
Would user workstations be considered part of the PCI-DSS CDE when collecting cardholder data using a secure portal
Supposing I had an office full of call centre operators, who sometimes update customers payment details by way of receiving these over the phone and then keying them into a secure web application, which stores the data securely in the "real" CDE.…
Nemec
- 43
- 1
- 9
2
votes
1 answer
Can a non-PCI Compliant Service Provider provide SAQ A-EP compliance?
I am trying to find clarification regarding PCI Compliance SAQ A-EP and third party hosting solutions.
In order to achieve SAQ A-EP PCI Compliance using "Hosting Company A" is it necessary for "Hosting Company A" to be a Certified PCI Compliant…
another-joe
- 21
- 1
2
votes
2 answers
Risks of using a webpage without SSL/TLS for donations
There is a site called www.mysite.com. It uses Qgiv for taking donations and has some HTML5 data-attributes like:
Chris H
- 23
- 3
2
votes
1 answer
PCI Scope, Tokens, and Processor APIs
A merchant receives a processor provided payment token in response to an authorization from an online order (for the sake of this question assume this part of the process has all its PCI t-s crossed and i-s dotted). Next the order is processed by…
Mark E
- 61
- 1
- 2
1
vote
0 answers
PCI process, how to solve mambo vulnerability CVE 2006-0871 on debian 8?
I am involved in the process of becoming pci-dss compliant. I am really close to get it although I am having this vulnerability on the server when I am doing an external scan.
Does someone know how to solve it?
ackuser
- 159
- 3
1
vote
2 answers
PCI-DSS, what is the best distro?
What is the best distro of Linux to get PCI-DSS compliant?
I am using Debian 8 because I think Debian is one of the most stable versions, but it seems not to be enough, I am struggling with a lot of vulnerabilities.
Furthermore, if anyone could post…
ackuser
- 159
- 3
1
vote
1 answer
Can we use same Active directory / Proxy servers for PCI and Non PCI Segment users?
Can we use the same AD server for both PCI VLAN user and Non PCI VLAN users?
How about proxy, we have a Proxy but both PCI and Non PCI user's traffic are flowing through those Proxy.
But we have segmented the VLAN for both PCI and Non PCI users
Is…
PCIrs
- 307
- 1
- 3
- 12
1
vote
1 answer
PCI DSS - Recorded Phone Conversations
I am using the using the following image from FishNet Security as a sort of guide for the data flow diagram required by PCI DSS as defined by:
1.1.3 Current diagram that shows all
cardholder data flows across systems
and networks
Let's say…
Elias
- 113
- 5
1
vote
2 answers
Shared Database and PCI Compliance
Say we have a cloud based web application which is SaaS. This application is to be made PCI compliant as a service provider, as client card data passes through the application. This application uses a database for its configuration…
SilverlightFox
- 33,408
- 6
- 67
- 178
1
vote
1 answer
TrustWave PCI Compliance - OpenSSH
First time 'asker' on here, but wanted to say thanks to how much I've used this site and reading answers to questions I've had!
Anyway, lately I've been having issues with a customer of ours who's server is failing the PCI Compliance scan from…
oinkerz
- 13
- 5
1
vote
1 answer
PCI Compliance relating to 'other' passwords
I see PCI compliance related only to password security, as far as storage and transmission goes, for user names and email accounts. How does this relate to passwords for programs that run on a PCI compliant machine? For instance: Someone…
Anthony Miller
- 257
- 1
- 8
1
vote
3 answers
PCI Definition of "Transmission"
I am working at a company that is PCI compliant, but I believe they have interpreted some of the requirements incorrectly. Because of this, they are laboring to create work-arounds which I suspect are not necessary.
Specifically, I am wondering…
lipidfish
- 15
- 4
1
vote
1 answer
Data Protection act, who is liable?
Recently, a large UK shopping chain had the staff payroll database leaked (including bank details, all unencrypted)
We've been told that we cannot take legal action and have so far been denied compensation as although our data was stolen, it wasn't…
user42073
- 29
- 3
1
vote
1 answer
PCI approved device, does it matter if my POS is PCI compliant if it just passes info to the gateway and does not store the encrypted card data?
If my Hardware device is on the PCI list from here
https://www.pcisecuritystandards.org/approved_companies_providers/approved_pin_transaction_security.php
Does my POS need to be PCI compliant since the POS cannot unencrypt the data since it is a…
user41386
- 11
- 2
1
vote
3 answers
Encryption of PCI data, and PCI-DSS scoping
I read another question which made me think...
If you encrypt PCI data (credit card numbers, etc.) using PGP or AES and send it through a firewall, is that firewall in scope?
Alternatively, what if you only use a data-in-motion security mechanism…
JZeolla
- 2,936
- 1
- 18
- 25