thePCI Portal

Category: Service Providers

Cloudy Breach

The Register has a story about a breach at cloudy service supplier Aptos. Aptos has several cloud services.  POS in the cloud.  Ecommerce in the cloud (didn’t see that one coming!). etc.  The timeline of what happened is: Feb 2016 – There was a breach and malware installed in the cloud. Nov 2016 – Aptos…

Best Practices for Securing eCommerce Information Supplement

Best Practices for Securing eCommerce Information Supplement is a great doc full of comprehensive info! The objective of this information supplement is to update and replace the PCI DSS E-commerce Guidelines published in 2013. Its a comprehensive 64 page document.  Useful info for anyone who does or is considering e-commerce.  A couple of the tidbits…

Whats the 411 on section 4.11 Managed Service Provider?

While completing a version 3.2 PCI DSS assessment, you will eventually get to section 4.11 titled Managed service providers.  (the section formerly known as 4.12 in version 3.1) Presuming that the assessed entity is a service provider, what constitutes a “managed” service provider? Section 4.11 does not shed much light on the topic.  Time to…

Who is a service provider for a SAQ A ecommerce only Merchant?

The Scenario: Low volume ecommerce only merchant.  Website does a full redirect to a PCI compliant provider payment page so payment processing is fully outsourced.  The payment provider page is actually the Merchant’s acquirer (not a middleman). All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service provider (the acquirer!). Merchant does…