“Ask the QSA” Question: My organization is an online service provider. Our customers are merchants (i.e., our customers are receiving the payment through our servers) and the credit card payment storage is done by a Level 1 PCI DSS Validated third party. Does my organization … Read more
Question: We are considering moving a server containing cardholder data to a hosted private cloud provider. Is it necessary that the provider have a PCI DSS assessment of their own and produce an Attestation of Compliance? What if they produce a report from an independent … Read more
Question: Our cardholder data environment (CDE) resides in a private cloud with Amazon Web Services. One of our core applications in the CDE is not accessible to the public internet; however, we have a private circuit in place that allows two of our external partners to … Read more
Here’s a news headline that is currently scaring security executives and causing a few sleepless nights: “NSA Has Hacked 50,000 Computers Globally.” What does this have to do with PCI compliance, you might ask? If the National Security Agency can easily hack into private computer … Read more
The PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users was designed to create awareness of challenges in and best practices for accepting payments with a mobile device. The following are three key takeaways from the document: General-purpose mobile devices (i.e., smartphones, tablets, etc.) are designed … Read more
The Payment Card Industry Security Standards Council (PCI SSC) released new guidelines during its recent Community Meeting in Orlando. The new Mobile Payment Acceptance Security guidelines apply to the payment applications identified in Mobile Payment Acceptance Application Category 3, and they give software developers and mobile … Read more