What’s the best practice for masking or truncating PAN?

November 12, 2015 • Published Categories Ask the QSATags , , ,

Question: What is the best practice when masking or truncating PAN? Is masking the middle 8 digits enough or should you mask the first 12? Answer: When it comes to the display of PAN, it’s about 2 things: What’s the PCI DSS say? What does … Read more

Can an Employee Conduct Our Company’s Penetration Testing?

November 4, 2015 • Published Categories Ask the QSATags , ,
office workers-pixabay

Question: One of our employees is a Certified Penetration Tester (CPT). Can we use this employee to perform our external and application penetration testing? Or does this employee need to be registered in some way with the PCI Council? Answer: The PCI DSS allows companies … Read more

If I Don’t Switch to EMV Will I No Longer Be PCI Compliant?

April 2, 2015 • Published Categories Ask the QSATags , , , , ,

Question: I have a small retail shop and am not worried about fraud. But if I don’t upgrade and get an EMV enabled credit card machine, will that mean that I am no longer PCI compliant? Answer: Even though the adoption of the EMV initiative—which … Read more

Do Vendors Keep a PCI Compliance Certificate?

April 2, 2015 • Published Categories Ask the QSATags , , ,

Question: Is there a PCI Compliance certificate that we need to ask vendors for? Answer: There is no “certificate” for PCI compliance. You can ask for an AOC (Attestation of Compliance) which, properly completed, should assist you in knowing what PCI compliant services your vendor provides. … Read more

“Did We Fall Out of Compliance?”

February 12, 2015 • Published Categories Ask the QSATags , ,

Question: We achieved our SAQ-D in August 2014. We just had some quarterly scans executed and need to remediate two vulnerabilities. Are we now not PCI compliant because some vulnerabilities came up and we are resolving them? Answer: PCI compliance is structured around a series … Read more

How are Transaction Volumes Calculated to Determine Merchant Level?

February 3, 2015 • Published Categories Ask the QSATags , , ,

Question: What factors contribute to the “transaction volume” calculation that determines my merchant level? For example, do credit card authorizations count toward the total volume? Answer: Transaction volume is based on the aggregate number of transactions (inclusive of credit, debit and prepaid) from a merchant. In cases … Read more