PaulDotCom mailing list archives

Re: PCI Compliance

From: Arch Angel <arch3angel () gmail com>
Date: Fri, 12 Apr 2013 09:04:14 -0400

I can't say too much but I can say that I work in the "banking" industry
and just as the others have stated the answer is "YES".

Just because you don't have the volume to have the bank increase your PCI-
DSS level from 4 to 1 doesn't exclude you from the requirements of PCI-DSS,
when you sign the SAQ you acknowledge that you are complying with these
requirements.  Another thing to keep in mind is that the use of third party
vendors for services, you have to prove those vendors are also
PCI-DSScompliant.  A classic example of this is call centers, many of
which are
outsourced and thy take credit cards on the behalf of the merchant.  You
need to make sure that third party vendor is also compliant and PROVE IT,
they can provide you with their ROC or Report on Compliance as well as
their quarterly external scans.  The same thing goes for applications used
in the credit card process, whether it is your application or a third party
vendor it must be PCI-DSS compliant and must be proven.

The way to reduce this, and exempt the company from many things when you
are a Level 3 or 4 is by reducing the scope of the PCI-DSS down to the
smallest possible size.  An example of this is to use a point of sale
machine in place of Quickbooks on the computer with Internet access.  It
makes the process a little harder on the manual labor side but potentially
saves tons of money and headaches on the PCI-DSS side.

Also keep in mind that PCI-DSS really only works for Visa & MasterCard,
American Express has their own guidelines as does Discover.  If you accept
these brands as well then you need to be compliant in their requirements as
well.

Hope this helps,

Robert
(arch3angel)


On Fri, Apr 12, 2013 at 1:23 AM, Nathan Sweaney <nathan () sweaney com> wrote:

You are correct. The merchant of record (whoever signs the contract to
accept credit cards) is responsibly for completely complying with the
entire PCI-DSS (and any other security requirements provided by the card
brands that they accept). This is spelled out in their Merchant Agreement
contract with their processor or acquiring bank. I obviously haven't seen
their contract, but I've looked at tons from various banks and they all
have the exact same boilerplate sections provided by the card brands.

It sounds like they are the merchant of record, but it's your customers
whose cards will be processed. If so, that puts you in an awkward position.
Legally the vendor will liable for any fines associated with a breach, but
your name could be smeared because they were your customers. If you have
any leverage, you might insist they provide a copy of their merchant
agreement, or even a letter from their bank attesting that they don't have
to fully comply. They won't be able to do that, but it might help you
convince them that they're wrong.


On Thu, Apr 11, 2013 at 4:04 PM, Jeff h <holden.tech () gmail com> wrote:

I have a question I hope someone can answer regarding PCI.  We have a
vender that we use that hosts an application.  The vender says they are a
Level 4 merchant and use a third party for all credit card transactions. So
they would have to fill out a SAQ C and have an external scan by an
approved vender.

Do they still have to abide by all PCI DSS requirements even if they are
not spelled out in SAQ C, such as password length, reuse, and expiration?

The vender has a document they describe their security controls and they
do not even meet PCI DSS already lax standard of at least 7 character
passwords. They claim that since they are level 4 they don't need to.

My understanding was all requirements still apply even if it dosen't go
through every single requirement in SAQ C they still have to check the box
that says "I have read the PCI DSS and I recognize that I must maintain
full PCI DSS compliance at all times"

So who is correct?

Thanks,
Jeff

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Re: PCI Compliance Nathan Sweaney (Apr 12)
- Re: PCI Compliance Arch Angel (Apr 12)
- Re: PCI Compliance Jeff h (Apr 12)
- <Possible follow-ups>
- Re: PCI Compliance Chris Hague (Apr 12)
- Re: PCI Compliance Josh More (Apr 12)