Re: PCI Compliance

[Chris Hague <chrishague () comcast net>]

Sorry for the short answer but YES. They need to comply with ALL the PCI-DSS requirements.  When they sign the AOC they 
are stating that they meet ALL requirements of the DSS.  


Sent from my iPhone

On Apr 11, 2013, at 4:04 PM, Jeff h <holden.tech () gmail com> wrote:

> I have a question I hope someone can answer regarding PCI.  We have a vender that we use that hosts an application.  
> The vender says they are a Level 4 merchant and use a third party for all credit card transactions. So they would 
> have to fill out a SAQ C and have an external scan by an approved vender.  
>
> Do they still have to abide by all PCI DSS requirements even if they are not spelled out in SAQ C, such as password 
> length, reuse, and expiration?
>
> The vender has a document they describe their security controls and they do not even meet PCI DSS already lax 
> standard of at least 7 character passwords. They claim that since they are level 4 they don't need to.
>
> My understanding was all requirements still apply even if it dosen't go through every single requirement in SAQ C 
> they still have to check the box that says "I have read the PCI DSS and I recognize that I must maintain full PCI DSS 
> compliance at all times"
>
> So who is correct?
>
> Thanks,
> Jeff
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com