Questions tagged [pci-scope]
The pci-scope tag has no usage guidance.
100 questions
2
votes
1
answer
157
views
Would a domain registrar be considered a Service Provider for PCI compliance if it never touches its customer's card holder data?
Hypothetical:
Company A accepts credit card payments and must be PCI compliant.
Company B provides domain registration (but not DNS or web hosting) services to Company A.
Some of these domains are ...
- 130
5
votes
0
answers
44
views
PCI-DSS Scope - How to determine client scope segmentation
We are a medium sized organization and use Payment Service Providers for all purchases, including credit card and non-credit card purchases. We get yearly audits and our internal payments platform is ...
- 51
1
vote
2
answers
298
views
Ports open on jump server in CDE
We placed a jump server in CDE to restrict the direct access to PCI in-scope devices (although I believe it should be outside CDE, please confirm)
Now, we have opened SQL ports 1433 and application ...
- 11
0
votes
2
answers
208
views
PCI : scope debate : API consumers
The Problem
I have two systems.
System A - E-commerce application that handles (does not store cc) customer credit data during purchase.
System B - Invoicing system for these transactions (does store ...
- 103
0
votes
2
answers
221
views
PCI DSS -- eWallet Not storing just displaying Virtual PAN
I have an eWallet application that lets the user (owner of the Virtual Visa) see his virtual card information if he wants to make an online purchase.
We are not storing the credit card data in our ...
- 1
1
vote
1
answer
3k
views
Are virtual credit cards in scope for PCI Compliance?
My company is using virtual credit cards and since we are PCI compliant (and want to be in the future) I was wondering about the requirements of storing/processing and transmitting PAN numbers of ...
- 339
0
votes
1
answer
272
views
PCI scope "Encrypted cardholder data that is accessible to an entity that also has access to the decryption key"
I have a question related to this FAQ:
https://pcissc.secure.force.com/faq/articles/Frequently_Asked_Question/How-does-encrypted-cardholder-data-impact-PCI-DSS-scope?q=how+does+encrypted+data+impact+...
- 113
12
votes
4
answers
4k
views
How does collecting sensitive data using iframes increase security?
So this approach seems to be rather popular, particularly among payment processors that provide javascript integrations.
The added layer of security that "fields in iframe" brings also ...
- 222
0
votes
1
answer
274
views
SSH and PCI on Insecure, Dirty Side
Does current PCI code require SSH connections be restricted to enumerated (specific) client IP addresses on the unsecure, dirty side? Isn't that outside the scope of the PCI code?
- 23
1
vote
1
answer
435
views
file-integrity monitoring tools for PCI compliance
A former employer of mine has reached out to me to assist them with PCI certification (I guess I'll be getting a 1099-NEC from them next year as a result). Here's the point I'm at in the questionnaire:...
- 1,788
2
votes
1
answer
213
views
PCI scope for a Direct-Post e-commerce site (SAQ A-EP)
An e-commerce site uses the Direct-Post method (see page 14 PCI e-commerce security).
Is the server for the e-commerce application and network it resides on in scope for PCI? There are questions in ...
- 21
0
votes
0
answers
25
views
What types of businesses are allowed to store SAD and in particular CVV data? [duplicate]
There must be some kind of business that requires the use of sensitive authentication data (SAD) data. Could someone point me in the right direction on the requirement for the storage of that data?
- 11
1
vote
2
answers
182
views
Can biometric vectors (i.e. fingerprint vector) be considered as Sensitive Authentication Data (SAD) in PCI?
I am designing a system that uses a certain biometric vector as a secondary user identification step before authorizing a payment. My system does not handle payment card details, rather the payment ...
- 135
0
votes
1
answer
767
views
PCI Compliance - Service Provider vs Merchant
We will be providing a service to a client, where the end user logged on to our system can submit their payment information to Authorize .Net.
I need help figuring out if we as a service provider ...
- 103
0
votes
1
answer
129
views
Is it legal to post card data from an ecommerce checkout to a PCI compliant 'store'
Let's say I want to charge a user's credit card with their permission after a sale takes place. But, I don't want to have to ask them their credit card a second time.
Is it legal to store the credit ...
- 105
2
votes
1
answer
7k
views
What is the difference between a server and an appliance for PCI purposes?
I administer a few hundred servers and am going through a yearly PCI audit. This time around we need to prove that we've got anti-virus protection on our "systems commonly affected by malicious ...
- 161
3
votes
0
answers
455
views
PCI Idle Session Timeout general question
Can someone help me understand how the PCI Timeout rules change for an application like the Starbucks App? A user is able to keep their card open ready for scan for longer the 15 minutes if needed, ...
- 31
4
votes
1
answer
478
views
PCI compliance with multiple AWS VPCs
If I have VPC which is in-scope (the "PCI VPC") and another which is not (the "NON-PCI VPC"), would peering them bring the non-pci vpc in-scope? Is there a way to avoid this?
I have an aurora RDS ...
0
votes
1
answer
126
views
Account Security Cardholder data
Ok, so we do not store any cardholder data so I get confused by these questions.
"Is all access to any database containing cardholder data (including access by applications, administrators, and all ...
- 17
0
votes
1
answer
146
views
Platform Change
So we converted our website from an internally created site to a Magento Cloud environment. In the process, we had to change how we handle credit cards.
We used to redirect the user to the payment ...
- 17
0
votes
1
answer
131
views
Does PCI-DSS requirement 10 ("track and monitor all access to ... card holder data") apply if I am not storing card holder data?
Requirement 10 states: Track and monitor all access to network resources and card holder data
I find this a little vague and I have two questions.
If I don't store card holder data - do I just need ...
- 173
0
votes
1
answer
557
views
Are AWS security groups enough to segment network and reduce PCI scope?
I was reading this paper
https://d1.awsstatic.com/whitepapers/pci-dss-scoping-on-aws.pdf
It shows this image
Am I correct in saying that - as long as instances have proper security groups that ...
- 173
7
votes
1
answer
247
views
Which self assessment questionairre should I use for PCI DSS compliance
My system is passed card data securely over HTTPS from an upstream system. The upstream system captures information via telephone input. This telephone input is sent to us, to invoke payments via ...
- 173
2
votes
1
answer
966
views
Is web site in-scope for PCI even though it redirects to a 3rd-party for card transaction?
Even though the web site never sees the cardholder data or sensitive authentication data in the clear, and never has access to the encryption keys, I would think the web site is in-scope because it ...
- 31
-1
votes
2
answers
659
views
Does PCI Apply to PAN only?
I am trying to find out if a credit card application would be in-scope for PCI DSS. As part of the application process, customers can submit their credit card number (PAN) from another institution. No ...
- 1
0
votes
1
answer
173
views
Outsourcing PCI data: Is this ok?
The organization I work for hold PCI-DSS compliance as merchants (we fill in SAQ-D). At the same time, due to document/payment verification processes, we request from our customers pictures of their ...
- 339
1
vote
1
answer
1k
views
If only getting and storing BIN part of credit card number, should I comply with any PCI (or other) specification?
I have a fraud detection system.
From the client side (browser) I want to receive the store BIN section of the card number (first 6 digits) and if possible also the last 4 digits
Besides the above, ...
1
vote
2
answers
702
views
Emailing PAN securely?
Has anyone successfully implemented a PCI approved method of emailing PAN data? I know there are concerns managing all the PCI requirements in an email solution but is there anyone that has actually ...
- 11
1
vote
1
answer
701
views
PCI DSS PenetrationTesting Requirement 11.3.4
I'm fairly new to PCI DSS and I'm confused over the requirement to perform pen-testing as per 11.3.4. as it states:-
Are penetration-testing procedures defined to test all segmentation
methods, ...
- 11
1
vote
1
answer
1k
views
PCI compliance for bank card system
There is a bank who has internal system working with card data preparation, generating PANs, and finally preparing personalization files that are sent to third party card manufacturer.
The bank can ...
- 1,129
4
votes
1
answer
134
views
When to complete PCI DSS Compliance Paperwork
I am working for a startup that will soon begin processing payments with Stripe.
Looking at their documentation, it seems we will have to file an SAQ A, SAQ A-EP, or an SAQ D depending on our ...
- 143
2
votes
4
answers
335
views
PCI Compliance question from a merchant
I'm a new business that conducts online auctions for estate sales. When searching for software to use, I had no idea about PCI Compliance. My merchant account told me it was easy. It would be if the ...
- 21
2
votes
3
answers
715
views
PCI - store card details offline
I work for a company that sends out mail/telephone order goods. Some customers have orders they receive every day, with different amounts.
We have been asked a few times by various customers if we ...
- 141
3
votes
2
answers
1k
views
SAQ-D Service Provider without a CDE
We provide a shopping cart service with integrations to multiple third party payment processors (PayPal, Authorize.net, etc.) where all payment processing happens on their networks (i.e., no CC data ...
- 163
1
vote
1
answer
219
views
PCI-DSS : Sending antivirus logs from private infrastructure to public cloud? [closed]
We are planning to build an environment where all the Linux machines in private infrastructures will send their ClamAV log files to ELK stack hosted in a public cloud for log analysis. Is this PCI ...
- 11
1
vote
1
answer
112
views
PCI DSS: Is Mirror/ Identical Server in Pentest or Scanning Scope
I am just wonder if I have a mirror/identical (high availability server) server in my CDE segment, is that mirror server need be in scanning scope?
If it is not in the scope, in the scanning report ...
- 361
2
votes
1
answer
536
views
Credit card store first four and last four which PCI SAQ?
In our application, we only transfer cardholder data to a PCI DSS compliant service provider, and don't store it ourselves. We only store first four and last four digits of credit card number for ...
- 135
2
votes
1
answer
3k
views
PCI Consideration for HTTP Headers? [closed]
Recently, some of our servers were being flagged for not implementing proper HTTP headers in a Qualys scan.
One of the sites that I visit regularly - http://pentestit.com has some good HTTP headers ...
- 503
1
vote
1
answer
827
views
What compliance does my mobile application need?
We are going to develop an application for payment gateway which is already PCI DSS compliant,
This application will be handling the payment through the API.
My questions is is the application needs ...
- 665
3
votes
1
answer
2k
views
PCI scope when entering card details into browser
Suppose I have an ecommerce web site, hosted in Azure (or AWS). I will use a third party payment gateway that is fully certified as PCI level 1. All communication is done with TLS 1.1 or better.
...
- 133
2
votes
0
answers
168
views
Compliance/ FCA regulations
First of all, please accept my apology for being ingnorant to compliance/FCA regulations as I have been digging out everywhere to get the answer of a very specific question:
SCENARIO
I am planning ...
- 21
0
votes
1
answer
152
views
Multi-factor auth into centralized log server
I've been searching for an answer to this question. According to PCI DSS Requirement 10.5.3, it asks for sending logs to a centralized secure internal log server.
Would we need to enable multi-factor ...
- 1
2
votes
2
answers
377
views
Receiving encrypted Credit Card number - PCI
We are in situation where our application receives a payment confirmation from a third party service, which includes an encrypted credit card number too. Our application needs to store the response. ...
- 131
3
votes
1
answer
2k
views
Can Revolut be PCI DSS compliant?
Basically, the Revolut app shows the PAN and CVV by default in-app and it has a "show PIN" option, how can this be compliant?
Here's a screenshot from the app, I have seen the real app and it really ...
- 511
2
votes
4
answers
4k
views
Would user workstations be considered part of the PCI-DSS CDE when collecting cardholder data using a secure portal
Supposing I had an office full of call centre operators, who sometimes update customers payment details by way of receiving these over the phone and then keying them into a secure web application, ...
- 43
0
votes
1
answer
447
views
Do we need to include SIEM hosted in the cloud in CDE scope for PCI DSS requirement..? where no CD or transacation logs are being process or managed
We have our cardholder data environment (CDE) hosted in on-premise model (private datacenter), except SIEM solution is implemented for logging and monitoring in private cloud. where we are forwarding ...
4
votes
2
answers
1k
views
Are client-side-only apps regulated by PCI?
Consider a client-side-only application. It may allow a user to make a payment by redirecting them to a payment gateway website, where they enter the credit card details. If I understand correctly, in ...
- 141
0
votes
1
answer
506
views
PCI Compliance : Capture Credit Card, make ajax call to save address, then post of Payment Provider
Say on the guest checkout page of an e-commerce website, if the user enters the delivery address, payment details (Credit card details) and clicks Submit button - and if
an ajax request is made to ...
- 103
0
votes
2
answers
7k
views
Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32
I am using nodejs and Ubuntu.
When i scan my domain on trustwave.com i got following error
Block cipher algorithms with block size of 64 bits (like DES and 3DES) birthday attack known as Sweet32
...
- 111
15
votes
1
answer
6k
views
Can I use GitHub and be PCI DSS compliant?
Is it possible to use any remote DVCS (GitHub, Bitbucket, etc.) with PCI DSS or should I host Git on my own server?
- 253