Questions tagged [pci-dss]
An acronym for Payment Card Industry (PCI) Data Security Standard (DSS). A set of rules and policies for protecting information related to card based financial instruments.
693 questions
0 votes
1 answer
37 views
PCI applicability when only typing cc info into a client's payment system
My company has a small call center. Less than 100 people. Currently we do not do any credit card transactions but are looking to do so in the future. One potential client has us using their ...
0 votes
1 answer
194 views
How secure is a network HSM connection with TLS disabled, relying only on IP ACLs and PKCS#11 slot PINs?
If TLS is disabled on a network-attached Hardware Security Module (HSM), but the device still enforces: IP-based access control (only whitelisted client IPs can connect), and PKCS#11 slot PIN ...
- 101
5 votes
2 answers
718 views
How do you independently verify that credentials have been rotated?
PCI compliance requires us to rotate passwords, but mainly seems to allow us to attest to the fact that we rotated the passwords based on trust that the work we say we're doing is getting done. But as ...
- 211
2 votes
1 answer
208 views
Would a domain registrar be considered a Service Provider for PCI compliance if it never touches its customer's card holder data?
Hypothetical: Company A accepts credit card payments and must be PCI compliant. Company B provides domain registration (but not DNS or web hosting) services to Company A. Some of these domains are ...
- 130
5 votes
0 answers
74 views
PCI-DSS Scope - How to determine client scope segmentation
We are a medium sized organization and use Payment Service Providers for all purchases, including credit card and non-credit card purchases. We get yearly audits and our internal payments platform is ...
- 51
0 votes
1 answer
88 views
Practical advise on completing PCI DSS SAQ [closed]
I have established that my business needs to complete a PCI DSS SAQ-D form for attesting PCI compliance... twice - once as a merchant and once as a service provider! Even completing it once is a ...
- 133
0 votes
0 answers
101 views
PCI 4.0 Assessment for Service Provider that doesn't have a CDE
What type of PCI 4.0 Assessment are Service Providers doing when they have no CDE, they do not accept or process credit cards, but instead use another service provider for those services?
2 votes
1 answer
197 views
Can CVV be input in a standard web site? The site doesn't store it
On my website, payments are done using a PCI-compliant 3rd partner. If the client agrees, I store a TOKEN of the card (returned by the PCI partner). I want to make a new payment with CVV for the ...
- 123