What is a “payment page”? A simple question? Maybe not. I think a layperson would say that its the webpage where you input your payment details. A merchant completing an SAQ-A compliance assessment might disagree. Merchants load these pages with scripts to enable marketing analytics, conversion trackers and chatbots to increase conversion and help consumers complete…
Category: PCI Version
4.0, PCI DSS
Can’t find the “Whats New in PCI V4.0” training?
by Ed • • 0 Comments
Can’t find the “Whats New in PCIV4.0” training? You are not alone. It is well hidden! Head over to the council’s portal at https://programs.pcissc.org Login! (bet you have to change your password again, lol!) Find RESOURCE CENTER in the big list in the middle Put DSS in the search box and press ENTER Collapse the…
4.0, PCI DSS, PCI SSC, QSA, Uncategorized, V4.0
Why cant I find PCI DSS v4 draft anywhere?
by Ed • • 0 Comments
So you are wondering why you can not find the latest PCI DSS v4 version to participate in the RFC? You meet the criteria as a PO, QSA or ASV, but the document is nowhere to be found in the other PCI portal. Its because access to the RFC is restricted to your organizations’ primary contact. …
Fun, PCI DSS, V3.2.1
The Mandela Effect and Inactive accounts
by Ed • • 0 Comments
What makes a user account “inactive”? I think most QSAs would say “any account not used with in 90 days”. I think these QSAs would also say that the PCI DSS (v3.2.1) actually defines an inactive account as one that has not been used within 90 days. But maybe this definition is from the Mandela…
Scoping, V3.2.1
Data Flow Diagrams
by Ed • • 0 Comments
The Report on Compliance suggests that Cardholder data-flow diagrams may also be included as a supplement to the description of how cardholder data is transmitted and/or processed. Regardless they are great way to communicate and document the CDE and PCI DSS scope. FAQ Article Number 1178 from February 2011 … An important prerequisite to reduce…
4.0, PCI DSS, PCI Version, Security Testing, V3.2.1
Functionality testing to verify that the change does not adversely impact the security of the system
by Ed • • 0 Comments
What are Assessor’s thoughts on requirement 6.4.5.3? 6.4.5.3 Functionality testing to verify that the change does not adversely impact the security of the system. 6.4.5.3.a For each sampled change, verify that functionality testing is performed to verify that the change does not adversely impact the security of the system. Thorough testing should be performed to…
4.0, Assessments, ASV, PCI DSS, SAQ A, V3.1, V3.2.1, Vulnerability Management
Does an SAQ-A merchant need ASV scans?
by Ed • • 0 Comments
UPDATED FOR V4! If a merchant is eligible to complete a SAQ-A to report on the results of their compliance assessment, are they required to engage an ASV (approved scanning vendor) to complete external vulnerability scans? YES! V4 clearly includes PCI DSS requirement 11.3.2! (Note the new V4 numbering) Self-Assessment Questionnaire A and Attestation of…
