Questions tagged [pci-dss]
An acronym for Payment Card Industry (PCI) Data Security Standard (DSS). A set of rules and policies for protecting information related to card based financial instruments.
694 questions
0
votes
1
answer
90
views
Browser Disk Cache Persistence Across User Sessions — PCI DSS 3.2.1 / 3.4 Implications
I’m evaluating a scenario involving shared workstations in a PCI‑scoped environment where multiple authenticated users access the same application on the workstation throughout the day.
Observed ...
0
votes
1
answer
64
views
PCI applicability when only typing cc info into a client's payment system
My company has a small call center. Less than 100 people. Currently we do not do any credit card transactions but are looking to do so in the future.
One potential client has us using their ...
0
votes
0
answers
87
views
Tokenized PAN & PCI DSS Compliance
I have been asked to implement a new payment system that uses Google/Apple Pay's Direct integration (using Tokenized PANs (DPAN), not clear cards) as well as a similar Tokenized PAN retrieved from our ...
- 1
0
votes
1
answer
231
views
How secure is a network HSM connection with TLS disabled, relying only on IP ACLs and PKCS#11 slot PINs?
If TLS is disabled on a network-attached Hardware Security Module (HSM), but the device still enforces:
IP-based access control (only whitelisted client IPs can connect),
and
PKCS#11 slot PIN ...
- 101
1
vote
2
answers
171
views
In PCI DSS SAQ A, does "customer’s browser" include merchant apps using TPSP-provided UI elements for card data?
I’m trying to understand a PCI DSS SAQ A requirement that says:
"All elements of the payment page(s)/form(s) delivered to the
customer’s browser originate only and directly from a PCI DSS
...
5
votes
2
answers
747
views
How do you independently verify that credentials have been rotated?
PCI compliance requires us to rotate passwords, but mainly seems to allow us to attest to the fact that we rotated the passwords based on trust that the work we say we're doing is getting done.
But as ...
- 211
1
vote
1
answer
251
views
Does PCI/DSS allow storing the cardholder's name a person entered (and not the real one)
I have an app where a person enters their card number, the cardholder's name, the expiration date and the cvv. I am now making it pci/dss-compliant. I will store the card number in an encrypted way. ...
- 113
2
votes
1
answer
223
views
Would a domain registrar be considered a Service Provider for PCI compliance if it never touches its customer's card holder data?
Hypothetical:
Company A accepts credit card payments and must be PCI compliant.
Company B provides domain registration (but not DNS or web hosting) services to Company A.
Some of these domains are ...
- 130
3
votes
1
answer
216
views
PCI DSS SAQ A qualification - what counts as a 'found' vulnerability?
This Q pertains to PCI DSS v4.0 SAQ A - previous Q&A only touched on previous versions of PCI.
Since 4.0, merchants that accept credit card payment, even if they only iframe or link to their ...
- 131
5
votes
0
answers
85
views
PCI-DSS Scope - How to determine client scope segmentation
We are a medium sized organization and use Payment Service Providers for all purchases, including credit card and non-credit card purchases. We get yearly audits and our internal payments platform is ...
- 51
6
votes
1
answer
327
views
How do payment facilitators like Stripe handle the PCI DSS requirement to periodically inspect POI devices?
Payment facilitators like Stripe provide card payment terminals to their customers. These devices must be periodically inspected, per requirement 9.5.1.2. How does the payment facilitator handle this, ...
- 161
0
votes
1
answer
94
views
Practical advise on completing PCI DSS SAQ [closed]
I have established that my business needs to complete a PCI DSS SAQ-D form for attesting PCI compliance... twice - once as a merchant and once as a service provider!
Even completing it once is a ...
- 133
1
vote
1
answer
88
views
PCI Compliance for Contract Management Software with User-Entered Card Data
I'm evaluating a contract management software that claims PCI compliance for my CC data. However, I am going to use the software to issue contracts to my customers where they directly enter credit ...
- 63
0
votes
0
answers
119
views
PCI 4.0 Assessment for Service Provider that doesn't have a CDE
What type of PCI 4.0 Assessment are Service Providers doing when they have no CDE, they do not accept or process credit cards, but instead use another service provider for those services?
25
votes
3
answers
8k
views
Why is the absence of a Content-Type header with a HTTP 204 response considered a security vulnerability and what should we do about it?
We have recently developed a web application with a RESTful API backend. This web app need to have a certain security certification (something called PCI-DSS), and thus it is being scanned ...
- 353