thePCI Portal

Category: Service Providers

Does a Merchant or Service Provider HAVE to use a PCI Compliant Service Provider (or can that Service Provider be non-compliant)?

I think that everyone would agree that the a service provider does not necessarily have to be independently “assessed” as PCI DSS compliant.  They could also be assessed as part of the assessed entity’s assessment.  But do they need to be “assessed” or “compliant” at all? I think its a risk based decision that depends on…

PCI DSS compliance for Service Providers

There are 4 generally accepted levels of PCI compliance assessment for a service provider, in ascending order of Service Provider effort:   Compliance Assessment Method Completion and signing Info Annual Service Provider relative effort Annual QSA effort Service provider assessed as part of (each) client’s assessment None May require onsite visit. Hours/days Client’s QSA:  Hours/days…

Cloudy Breach

The Register has a story about a breach at cloudy service supplier Aptos. Aptos has several cloud services.  POS in the cloud.  Ecommerce in the cloud (didn’t see that one coming!). etc.  The timeline of what happened is: Feb 2016 – There was a breach and malware installed in the cloud. Nov 2016 – Aptos…

Best Practices for Securing eCommerce Information Supplement

Best Practices for Securing eCommerce Information Supplement is a great doc full of comprehensive info! The objective of this information supplement is to update and replace the PCI DSS E-commerce Guidelines published in 2013. Its a comprehensive 64 page document.  Useful info for anyone who does or is considering e-commerce.  A couple of the tidbits…

Whats the 411 on section 4.11 Managed Service Provider?

While completing a version 3.2 PCI DSS assessment, you will eventually get to section 4.11 titled Managed service providers.  (the section formerly known as 4.12 in version 3.1) Presuming that the assessed entity is a service provider, what constitutes a “managed” service provider? Section 4.11 does not shed much light on the topic.  Time to…

Who is a service provider for a SAQ A ecommerce only Merchant?

The Scenario: Low volume ecommerce only merchant.  Website does a full redirect to a PCI compliant provider payment page so payment processing is fully outsourced.  The payment provider page is actually the Merchant’s acquirer (not a middleman). All processing of cardholder data is entirely outsourced to PCI DSS validated third-party service provider (the acquirer!). Merchant does…