Ready Your 3.0 SAQ Game Plan

December 17, 2014 • Published Categories Best Practices Tags , , , , , , , ,

2014 has been a year filled with news about breaches – big breaches – record breaking breaches. I have spent the majority of the year talking to many people about PCI DSS version 3.0 SAQs.  I have spoken to Merchant Banks, Processors, small businesses, IT … Read more

The PCI DSS, Chaining and the Franchise Relationship

October 21, 2014 • Published Categories Industry Topics Tags , , , , , , , ,

Guest post by David Durko, PrivacyAtlas   My colleagues and I are often asked, “Where does the responsibility for compliance fall when a compliant service provider shares consumer data with a non-compliant third party?” This is an interesting question and one that could change how … Read more

Hosted Private Cloud Service Providers: Should They Be PCI Compliant?

October 8, 2014 • Published Categories PCI 101 Tags , , , ,
SSC Mobile and Cloud Guidlines

Question: We are considering moving a server containing cardholder data to a hosted private cloud provider.  Is it necessary that the provider have a PCI DSS assessment of their own and produce an Attestation of Compliance? What if they produce a report from an independent … Read more

SAQ A vs. A-EP: What E-Commerce Merchants, Service Providers Need to Know Now

June 12, 2014 • Published Categories Industry Topics Tags , , , , , ,

Taking a firm stance on the security of partially outsourced e-commerce sites. When the new PCI DSS version 3.0 Self Assessment Questionnaires (SAQs) were released earlier this year, my colleagues and I closely read them to understand the potential impact on self-assessing merchants as well … Read more

“Is it OK to email inactive credit card numbers?”

May 1, 2014 • Published Categories PCI 101 Tags , , , , ,

Question: Is a card that has been closed by an issuer that is no longer active still subject to the same compliance standards as an active card when looking to email a card number in the clear? Answer: First, I would recommend to NEVER email a credit card … Read more

More Specialized SAQs: The New SAQ B-IP

April 8, 2014 • Published Categories Industry Topics Tags , , , , , , , , , , , ,

NOTE: There have been updates to the PCI DSS 3.0 standard since this post was published. The current revision is 3.2r1.1; however, the only significant changes to the SAQ B-IP have been the additions of segmentation testing and multifactor authentication for all remote access. The new … Read more