Security Basics mailing list archives
Re: PCI compliance questions
From: Mark Loeser <mark () halcy0n com>
Date: Fri, 24 Apr 2009 11:41:24 -0400
Abo Sous <abussous () gmail com> said:
1- Details on what’s considered as sensitive data and what’s not: from a Merchant perspective is provided by Visa on page of https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf; however, i could not find any as for the Acquirer/Issuer/Service Provider perspective; any pointers?
According to PCI standards all cardholder data is sensitive. The only thing that needs to be rendered unreadable is the full account number for the card. The other information just needs to be protected. Also, the PIN, CVV and full magnetic strip can not be stored at all.
2- what are the deadlines/fines for non compliance, for Merchants/Acquirers/Issuers/Service Providers respectively?
These should be listed in the spec, I don't recall off hand.
3- being an issuer/acquirer (bank for ex), am i required to comply with PCI DSS? if so, what are the requirements?
Almost positive you have to comply with all of the requirements. If you are dealing with card holder data at all, then you fall into PCI-land. HTH, -- Mark Loeser email - halcy0n AT gentoo DOT org email - mark AT halcy0n DOT com web - http://www.halcy0n.com
Attachment:
_bin
Description:
Current thread:
- PCI compliance questions Abo Sous (Apr 22)
- Re: PCI compliance questions Adam Pal (Apr 24)
- Re: PCI compliance questions Mark Loeser (Apr 24)
- Re: PCI compliance questions Jason (Apr 24)
- <Possible follow-ups>
- Re: PCI compliance questions no (Apr 24)
- Re: PCI compliance questions sfmailsbm (Apr 24)