PaulDotCom mailing list archives
Re: PCI Compliance
From: Chris Hague <chrishague () comcast net>
Date: Fri, 12 Apr 2013 00:12:21 -0500
Sorry for the short answer but YES. They need to comply with ALL the PCI-DSS requirements. When they sign the AOC they are stating that they meet ALL requirements of the DSS. Sent from my iPhone On Apr 11, 2013, at 4:04 PM, Jeff h <holden.tech () gmail com> wrote:
I have a question I hope someone can answer regarding PCI. We have a vender that we use that hosts an application. The vender says they are a Level 4 merchant and use a third party for all credit card transactions. So they would have to fill out a SAQ C and have an external scan by an approved vender. Do they still have to abide by all PCI DSS requirements even if they are not spelled out in SAQ C, such as password length, reuse, and expiration? The vender has a document they describe their security controls and they do not even meet PCI DSS already lax standard of at least 7 character passwords. They claim that since they are level 4 they don't need to. My understanding was all requirements still apply even if it dosen't go through every single requirement in SAQ C they still have to check the box that says "I have read the PCI DSS and I recognize that I must maintain full PCI DSS compliance at all times" So who is correct? Thanks, Jeff _______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Re: PCI Compliance Nathan Sweaney (Apr 12)
- Re: PCI Compliance Arch Angel (Apr 12)
- Re: PCI Compliance Jeff h (Apr 12)
- <Possible follow-ups>
- Re: PCI Compliance Chris Hague (Apr 12)
- Re: PCI Compliance Josh More (Apr 12)