Security Basics mailing list archives
RE: Is PCI Compliance Mandatory
From: "Palmer, Mark" <mpalmer () hoovers com>
Date: Mon, 14 Jan 2008 09:36:38 -0600
Quoting the PCI's Data Security Standards v1.1: "PCI DSS requirements are applicable if a Primary Account Number (PAN) is *stored*, *processed*, or *transmitted*. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply." Just because you are not storing the card number does not necessarily exclude you from the scope of PCI DSS. I'd suspect your organization might be transmitting card holder data. If true, then PCI-DSS apply. But that's a decision you and your company's management team must make. There are other items to consider: 1) What level merchant are you? Ask your acquiring bank for this information. 2) How does your company manage risk? 3) What payment application are you using? Is it on the list of Vulnerable Payment applications? 4) Is your payment vendor compliant? What are you doing to ensure they are compliant? 5...) Lots more questions go here.... Working with your acquiring bank is the best place to start. They will be able to provide you additional guidance. Depending on what the acquiring bank requires from your organization, you may want to consider some consultation. Consulting is not a requirement, but may help jump start a company's PCI efforts. Remember, PCI compliance is not a project; it is an ongoing effort to validate your organization's effort (or lack thereof) to secure and protect card holder data. Mark Palmer
Current thread:
- Is PCI Compliance Mandatory global . infosec (Jan 12)
- RE: Is PCI Compliance Mandatory Craig Wright (Jan 14)
- Re: Is PCI Compliance Mandatory J. Lion (Jan 14)
- RE: Is PCI Compliance Mandatory Palmer, Mark (Jan 14)
- Re: Is PCI Compliance Mandatory Chad Loder (Jan 14)
- RE: Is PCI Compliance Mandatory Abimbola, Abiola (Jan 14)
- Re: Is PCI Compliance Mandatory Jason Thompson (Jan 14)
- <Possible follow-ups>
- Re: Is PCI Compliance Mandatory cstubbs (Jan 14)
- Re: RE: Is PCI Compliance Mandatory marc . massar (Jan 14)
- Re: Is PCI Compliance Mandatory evilwon12 (Jan 14)