Re: PCI compliance questions

[Mark Loeser <mark () halcy0n com>]

Abo Sous <abussous () gmail com> said:
> 1- Details on what’s considered as sensitive data and what’s not: from
> a Merchant perspective is provided by Visa on page of
> https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf;
> however, i could not find any as for the Acquirer/Issuer/Service
> Provider perspective; any pointers?

According to PCI standards all cardholder data is sensitive.  The only
thing that needs to be rendered unreadable is the full account number
for the card.  The other information just needs to be protected.  Also,
the PIN, CVV and full magnetic strip can not be stored at all.

> 2- what are the deadlines/fines for non compliance, for
> Merchants/Acquirers/Issuers/Service Providers respectively?

These should be listed in the spec, I don't recall off hand.

> 3- being an issuer/acquirer (bank for ex), am i required to comply
> with PCI DSS? if so, what are the requirements?

Almost positive you have to comply with all of the requirements.  If you
are dealing with card holder data at all, then you fall into PCI-land.

HTH,

-- 
Mark Loeser
email         -   halcy0n AT gentoo DOT org
email         -   mark AT halcy0n DOT com
web           -   http://www.halcy0n.com

Attachment: _bin
Description: