Re: a pci question

["Nils" <nils () hemmann de>]

Hey Marck,
first off, if your company does not transmit or process cardholder data 
in any way then your entire company is not in PCI scope.
But may be you could describe a little bit more in detail what exactly 
you are doing and how you´re processing payments.

Regarding the PSP´s demand of a VPN, I think this is just a general 
requirement they are having to standardize their external connections to 
be on the safe side. When it comes to PCI the PSPs need to encrypt any 
connection which *might *transmit cardholder data (Req. 4)
But may be there are other non-PCI requirements like data privacy 
protection.

My 2ct.
Nils




On 11.04.2011 22:31, marck e. wrote:
> Due to avoiding being scoped in PCI-compliance, we are now searching
> for PSP (Payment Service Providers)
> Our processing volume is quite low (maybe 20 o 30 orders a month)
> We already selected a couple of PSP  and one of their requirements is
> we must establish a VPN connection with them in order they send
> payment status of orders (not credit card numbers at all)
> Even when we only would get payment status of orders,is there any
> reason we should establish a VPN connection with them?
> I mean , if we only get status of paid or not-paid for payment
> processing done on their infrastructure, why is that vpn requirement?
> Also, What is extent we are scoped regarding PCI if we are outsourcing
> all of our payment processing?
>
> thank you
>
> marck
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com