5 “Buts” Your QSA Doesn’t Want to Hear

December 22, 2015 • Published Categories Best Practices Tags , ,

Qualified Security Assessors like myself are conducting annual PCI assessments year round, so while your assessment may seem like an “it’s that time of the year again” activity, our interaction with your business often involves common themes. For example, we QSAs often hear a lot … Read more

You’re Non-Compliant with PCI. Now What?

December 11, 2015 • Published Categories Best Practices Tags , , , ,

You gather up all the necessary documentation and sit down to complete the SAQ for your business—only to realize that you can’t answer “yes” to all the questions. Somewhere, something down the line occurred which now makes things complicated. When confronted with the reality of … Read more

Our Service Provider is Compliant, Must Our Organization Be As Well?

December 9, 2014 • Published Categories PCI 101 Tags , , , , ,

“Ask the QSA” Question: My organization is an online service provider. Our customers are merchants (i.e., our customers are receiving the payment through our servers) and the credit card payment storage is done by a Level 1 PCI DSS Validated third party. Does my organization … Read more

Hosted Private Cloud Service Providers: Should They Be PCI Compliant?

October 8, 2014 • Published Categories PCI 101 Tags , , , ,
SSC Mobile and Cloud Guidlines

Question: We are considering moving a server containing cardholder data to a hosted private cloud provider.  Is it necessary that the provider have a PCI DSS assessment of their own and produce an Attestation of Compliance? What if they produce a report from an independent … Read more