Questions tagged [pci-scope]
98 questions
0
votes
1 answer
Is PCI SAQ A or A-EP applicable for my use case?
I read the FAQ over here andI feel that we do not need to be PCI Compliance but I have read many other posts, articles etc which seem to contradict my assumption. So I was wondering if any of you guys can throw some light on it. Here is my use…
Chantz
- 103
- 4
0
votes
1 answer
PCI Compliance - Antivirus in host and virtual environment?
We have a couple servers with a host system, and virtual DB and Web instances. Is it possible to be compliant with PCI if you install the Antivirus only on the host system, or does it need to be installed on all three (host, db instance, web…
Sam
- 101
- 2
0
votes
1 answer
Is a PCI scan required for LAN outer firewall with no open ports?
I have recently been trying to get my company ip addresses scanned with Comodo HackerGuardian. My website needed some adjustments to ssl but after they were made it passed the scan. As we also have a machine accessing a Virtual Terminal at our…
saltdog
- 1
0
votes
2 answers
Ports open on jump server in CDE
We placed a jump server in CDE to restrict the direct access to PCI in-scope devices (although I believe it should be outside CDE, please confirm)
Now, we have opened SQL ports 1433 and application ports from the jump server to the prod host in the…
user30026
- 1
- 1
0
votes
2 answers
PCI : scope debate : API consumers
The Problem
I have two systems.
System A - E-commerce application that handles (does not store cc) customer credit data during purchase.
System B - Invoicing system for these transactions (does store cc).
System A is pre-launch, will be low volume…
mconlin
- 103
- 3
0
votes
2 answers
PCI DSS -- eWallet Not storing just displaying Virtual PAN
I have an eWallet application that lets the user (owner of the Virtual Visa) see his virtual card information if he wants to make an online purchase.
We are not storing the credit card data in our servers in any way.
There is this company…
TikalDog
- 1
- 1
0
votes
1 answer
PCI scope "Encrypted cardholder data that is accessible to an entity that also has access to the decryption key"
I have a question related to this FAQ:
https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/How-does-encrypted-cardholder-data-impact-PCI-DSS-scope?q=how+does+encrypted+data+impact+the+scope&l=en_US&fs=Search&
It says:
The…
Samuel
- 113
- 1
- 6
0
votes
1 answer
SSH and PCI on Insecure, Dirty Side
Does current PCI code require SSH connections be restricted to enumerated (specific) client IP addresses on the unsecure, dirty side? Isn't that outside the scope of the PCI code?
talkinggoat
- 23
- 3
0
votes
0 answers
What types of businesses are allowed to store SAD and in particular CVV data?
There must be some kind of business that requires the use of sensitive authentication data (SAD) data. Could someone point me in the right direction on the requirement for the storage of that data?
Lucas Shuck
- 11
- 1
0
votes
1 answer
PCI Compliance - Service Provider vs Merchant
We will be providing a service to a client, where the end user logged on to our system can submit their payment information to Authorize .Net.
I need help figuring out if we as a service provider need to be PCI Compliant.
We will either select the…
nullpointer
- 103
- 3
0
votes
1 answer
Is it legal to post card data from an ecommerce checkout to a PCI compliant 'store'
Let's say I want to charge a user's credit card with their permission after a sale takes place. But, I don't want to have to ask them their credit card a second time.
Is it legal to store the credit card information as they're filling it out on the…
Tallboy
- 105
- 4
0
votes
1 answer
Account Security Cardholder data
Ok, so we do not store any cardholder data so I get confused by these questions.
"Is all access to any database containing cardholder data (including access by applications, administrators, and all other users) restricted as follows:"
8.7(a) Is all…
user2091722
- 17
- 3
0
votes
1 answer
Platform Change
So we converted our website from an internally created site to a Magento Cloud environment. In the process, we had to change how we handle credit cards.
We used to redirect the user to the payment processor's site to complete the payment then come…
user2091722
- 17
- 3
0
votes
1 answer
Does PCI-DSS requirement 10 ("track and monitor all access to ... card holder data") apply if I am not storing card holder data?
Requirement 10 states: Track and monitor all access to network resources and card holder data
I find this a little vague and I have two questions.
If I don't store card holder data - do I just need to monitor access to networking resources?
When…
Sim
- 173
- 5
0
votes
1 answer
Are AWS security groups enough to segment network and reduce PCI scope?
I was reading this paper
https://d1.awsstatic.com/whitepapers/pci-dss-scoping-on-aws.pdf
It shows this image
Am I correct in saying that - as long as instances have proper security groups that restrict connectivity, it will remove them from PCI…
Sim
- 173
- 5