thePCI Portal

Category: PCI Version

Does requirement 6.4.3 mean that a merchant who uses an iframe so that their payment service provider collects the payment information have to implement a method to ensure the integrity of scripts on their web page?

Did you come here looking for an answer to this question?  If so, YOU ARE IN LUCK.  We have lots of answers to this question.  I am sure you can find one that fits your requirements.   NOTE:  all of the answers below are real.  QSACs really said these things (not just a QSA, but…

What is a “payment page”?

What is a “payment page”? A simple question?  Maybe not. I think a layperson would say that its the webpage where you input your payment details.  A merchant completing an SAQ-A compliance assessment might disagree.  Merchants load these pages with scripts to enable marketing analytics, conversion trackers and chatbots to increase conversion and help consumers complete…

Data Flow Diagrams

The Report on Compliance suggests that Cardholder data-flow diagrams may also be included as a supplement to the description of how cardholder data is transmitted and/or processed.  Regardless they are great way to communicate and document the CDE and PCI DSS scope. FAQ Article Number 1178 from February 2011 … An important prerequisite to reduce…

Functionality testing to verify that the change does not adversely impact the security of the system

What are Assessor’s thoughts on requirement 6.4.5.3? 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system. 6.4.5.3.a For each sampled change, verify that functionality testing is performed to verify that the change does not adversely impact the security of the system. Thorough testing should be performed to…

Does an SAQ-A merchant need ASV scans?

UPDATED FOR V4! If a merchant is eligible to complete a SAQ-A to report on the results of their compliance assessment, are they required to engage an ASV (approved scanning vendor) to complete external vulnerability scans? YES!  V4 clearly includes PCI DSS requirement 11.3.2! (Note the new V4 numbering) Self-Assessment Questionnaire A and Attestation of…