PaulDotCom mailing list archives

Re: PCI Compliance

From: Josh More <jmore () starmind org>
Date: Fri, 12 Apr 2013 07:54:33 -0500

I agree with the others.  SAQs A-D are reporting tools, not compliance
tools.  If an organization claims to be compliant, they must be compliant
with all aspects of PCI-DSS and, if applicable, PA-DSS as required by their
merchant agreement.

That said, if the organization is *truly* outsourcing *all* credit card
activities (i.e., no PAN and related data is passing through their systems
at all), their entire network is effectively out of scope.  If they are
doing this, there might not be anything you can claim under PCI to change
the situation and would be limited to using other contractual
arrangements.  It sounds to me, though, like they don't really understand
PCI, so if they are trying to out-of-scope their burden, they're doing it
poorly.

-Josh More


On Thu, Apr 11, 2013 at 4:04 PM, Jeff h <holden.tech () gmail com> wrote:

I have a question I hope someone can answer regarding PCI.  We have a
vender that we use that hosts an application.  The vender says they are a
Level 4 merchant and use a third party for all credit card transactions. So
they would have to fill out a SAQ C and have an external scan by an
approved vender.

Do they still have to abide by all PCI DSS requirements even if they are
not spelled out in SAQ C, such as password length, reuse, and expiration?

The vender has a document they describe their security controls and they
do not even meet PCI DSS already lax standard of at least 7 character
passwords. They claim that since they are level 4 they don't need to.

My understanding was all requirements still apply even if it dosen't go
through every single requirement in SAQ C they still have to check the box
that says "I have read the PCI DSS and I recognize that I must maintain
full PCI DSS compliance at all times"

So who is correct?

Thanks,
Jeff

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Re: PCI Compliance Nathan Sweaney (Apr 12)
- Re: PCI Compliance Arch Angel (Apr 12)
- Re: PCI Compliance Jeff h (Apr 12)
- <Possible follow-ups>
- Re: PCI Compliance Chris Hague (Apr 12)
- Re: PCI Compliance Josh More (Apr 12)