What's the best practice for masking or truncating PAN?

Question: What is the best practice when masking or truncating PAN? Is masking the middle 8 digits enough or should you mask the first 12?

Answer: When it comes to the display of PAN, it’s about 2 things:

What’s the PCI DSS say?
What does security best practice…

Read More

Can an Employee Conduct Our Company’s Penetration Testing?

Question: One of our employees is a Certified Penetration Tester (CPT). Can we use this employee to perform our external and application penetration testing? Or does this employee need to be registered in some way with the PCI Council?

Answer: The PCI DSS allows companies to pen test themselves providing…

Read More

If I Don't Switch to EMV Will I No Longer Be PCI Compliant?

Question: I have a small retail shop and am not worried about fraud. But if I don’t upgrade and get an EMV enabled credit card machine, will that mean that I am no longer PCI compliant?

Answer: Even though the adoption of the EMV initiative—which involves changing out…

Read More

Do Vendors Keep a PCI Compliance Certificate?

Question: Is there a PCI Compliance certificate that we need to ask vendors for?

Answer: There is no “certificate” for PCI compliance. You can ask for an AOC (Attestation of Compliance) which, properly completed, should assist you in knowing what PCI compliant services your vendor provides.

Knowing your service providers…

Read More

"Did We Fall Out of Compliance?"

Question: We achieved our SAQ-D in August 2014. We just had some quarterly scans executed and need to remediate two vulnerabilities. Are we now not PCI compliant because some vulnerabilities came up and we are resolving them?

Answer: PCI compliance is structured around a series of controls integrated purposely…

Read More

How are Transaction Volumes Calculated to Determine Merchant Level?

Question: What factors contribute to the “transaction volume” calculation that determines my merchant level? For example, do credit card authorizations count toward the total volume?

Answer: Transaction volume is based on the aggregate number of transactions (inclusive of credit, debit and prepaid) from a merchant. In cases where a merchant…

Read More

Our Service Provider is Compliant, Must Our Organization Be As Well?

Question: My organization is an online service provider. Our customers are merchants (i.e., our customers are receiving the payment through our servers) and the credit card payment storage is done by a Level 1 PCI DSS Validated third party. Does my organization have to be PCI compliant?

Answer: Since…

Read More

Is Penetration Testing Now a Must for My Business?

Question: In version 3.0 it states I need to complete penetration testing. In version 2.0 it was recommended and because of our business being 24 hours, we had an acceptable work around. I am being told that the penetration test is a MUST for 3.0?

Answer: Penetration…

Read More

What Does the PCI DSS Say About Employee Background Checks?

Question: Can you tell me what “employee background” requirements are for PCI compliance? If a potential employee has any arrest/conviction of any kind (felony or misdemeanor), can they not be hired or work in a PCI compliant call center?

Answer: The PCI DSS requires (via Requirement 12.7) that…

Read More

Hosted Private Cloud Service Providers: Should They Be PCI Compliant?

Question: We are considering moving a server containing cardholder data to a hosted private cloud provider.  Is it necessary that the provider have a PCI DSS assessment of their own and produce an Attestation of Compliance?

What if they produce a report from an independent security company that is not…

Read More

"Is it OK to enable remote access to my back office PC?"

Question: Is LogMeIn PCI Compliant for a restaurant back office PC? I heard that leaving an open connection is not compliant.

Answer: A remote access program such as LogMeIn can be PCI compliant; however, it must be securely implemented using multiple factors of authentication to log in, the connection must…

Read More

"Can We Securely Store Card Data for Recurring Billing?"

While the PCI DSS discourages businesses from storing credit card data, many feel the practice is necessary in order to facilitate recurring payments.

Here are a few of the related questions we’ve recently received:

Question: We store credit card info (number & expiration) to run on our terminal in…

Read More

About Third-Party Access to Core Business Apps...

Question: Our cardholder data environment (CDE) resides in a private cloud with Amazon Web Services. One of our core applications in the CDE is not accessible to the public internet; however, we have a private circuit in place that allows two of our external partners to access the application. Having…

Read More

"Are 'Knuckle Busters' PCI Compliant?"

Question: I run a restaurant business and have a question regarding “manual credit card processing.” In the event my cc system (POS) goes down, how can I process credit cards without taking a manual imprint of the card?

Answer: I’m guessing your question comes from the recent news stories…

Read More

"Are Hotels Supposed to be Making Front and Back Copies of My Card?"

We regularly hear from consumers who are concerned about the manner in which hotels are collecting credit card information from them, much of which is on paper via Credit Card Authorization forms and front-and-back card copies.

Here are some examples:

Question: I deal a lot with hotels and…

Read More
Read More

"Does my backup services business need to be PCI compliant?"

Question: I own a small MSP service that offers backup services for customers’ servers. Some of our hospitality customers for which we do nothing but this type of backup believe we need to be PCI compliant. All the data is fully encrypted before it is sent across the internet to…

Read More

"Is it OK to email inactive credit card numbers?"

Question: Is a card that has been closed by an issuer that is no longer active still subject to the same compliance standards as an active card when looking to email a card number in the clear?

Answer: First, I would recommend to NEVER email a credit card number, regardless…

Read More

"We submitted the wrong SAQ. Now what?"

Question: Are there any self-disclosure requirements based on inaccurate SAQ submissions? For example, if the incorrect SAQ was completed, what steps should be taken to complete the correct SAQ and how long would a company have to resubmit?

Answer: This would all come down to what the enforcing organization…

Read More
Read More

"I have a question about storing credit card information"

Question: I work for an e-commerce company and have a question about storing credit card information. In the past, if an order contained potentially fraudulent information we would request a credit card authorization form, which would require a front and back scan of the card as well as a…

Read More

"We have a PCI Compliant App but are not currently PCI Compliant..."

Question: We have a PCI Compliant App but are not currently PCI Compliant. If we moved this application to a PCI Compliant Web Hosting Service do we still NEED to be PCI Compliant?
Answer: Simply outsourcing some or all of your organizational functions does not mean you don’t still…

Read More
Read More