Hi I need a pci compliant way to store customer cc credentials for further usage (we are concierge and need to book on their behalf) I see many $1k a month solutions. Are there cheaper , more basic ones?
A website that I help manage has failed PCI Compliance and we appear to be unable to do anything about it.
The issue is something to do with taking payments and stored payment information. We do not store payment information except of course to record that a payment has been taken/ received.
Our payment gateway says it's a hosting issue. Our host says pci compliance is not their problem.
We are now being fined every month.
I think we need to engage some outside help.
Can I have recommendations for 3rd party companies that may be able to assist in achieving PCI compliance.
Thank you.
I know that we otherwise qualify for SAQ A, but I am stuck on one requirement due to the way our website is setup. Here is that setup:
No cardholder data is collected, stored, or transmitted on any of our infrastructure. The only thing we are automatically sending to the payment processor is data about the purchase being made, because otherwise the user would need to be trusted to tell the payment processor they need to pay X number of dollars and cents.
Would this environment qualify for SAQ A?
Afternoon All,
Was wondering if somebody could just sanity check my thoughts please if you dont mind, so we are a SAQ D service provider that doesnt process any payments at all but holds CDE data on our file server for a short period of time.
When Version 4.0 came into effect we purchased a very expensive full disk encryption solution, we have been far from impressed with the company, who we had to use at the time due to limited solutions on the market.
We would like to start looking around for other solutions/companies that provide this service, however looking around and reading this reddit, not many people seem to be mentioning 3.5.1 as a major issue, or talking about solutions/companies that provide this solution.
Im starting to wonder if im missing something, or not really understanding the requirement correctly?
My pespective was always data had to be consistently encrypted if its at rest or in use, and only decrypted when a user opens and is accessing the file/data, then re-encrypted when it is closed.
Any input/thoughts/explanation on this would be really really appreciated.
Many Thanks
practice for production bug fixes specifically.
for planned features it's pretty clear. you write tests, ci runs them, you have the artifact. but for production incidents where you're patching billing or payment code under pressure, the evidence trail often looks like: sentry alert, hotfix branch, pr approval, merge, deploy. no specific documentation that the fix was tested against the original crash.
when your auditor asks show me how you tested this fix for a production payment bug, what are you actually showing them? is pr approval + ci passing enough? do you need something that specifically demonstrates the root cause was reproduced and resolved?
asking because i'm trying to build something that automates the artifact generation for exactly this scenario - deterministic crash reproduction in a sandbox + structured evidence output mapped to pci control IDs but i want to understand if auditors actually care about this or if i'm overengineering it.
Does anyone have the AOC for MPGS.
So one of my customer uses Hashing for the cardholder data, here they hashes PAN with the cardholder name and uses salt to it and are hashed and stored in DB where the truncated card number is also there. They use SHA-256 hashing algorithm. So my question here is do we need to mandate using Keyed cryptographic Hashing algorithm? Is there any problem in saving this hashed value with the truncated card number or requirement 3.5.1 is only applicable for hashing of PAN alone?
I run a low-volume e-commerce site that will soon accept payments using Stripe Elements, where all credit card data goes through a Stripe iframe popup on my site and is not visible to my digital infrastructure. This means I need SAQ A compliance. Do I need a quarterly scan? I see conflicting information online. Many sites say I do need the scan, while Stripe customer support says that I don't.
Hello,
I am assisting with a PCI assessment and the topic of logging is being discussed in a gap assessment.
I was curious what level of information yall are collecting in your SIEM…. For example we have the event logged in the SIEM but not the whole raw log. Does PCI need us to send the entire raw log to the SIEM, or could you have the event and high levels in the SIEM and be alerted on that and then depending on the issue if warranted investigate the raw logs
One of my customer uses a BIN lookup service to determine whether a card’s BIN length is 6 or 8 digits and ensures that only the applicable BIN (6 or 8 digits) is displayed accordingly in the application.
However, in the database, there is a column that consistently stores and displays the first 8 digits of the PAN for all transactions, regardless of whether the actual BIN length for the card is 6 or 8 digits.
Is this approach compliant with PCI DSS requirements, specifically with respect to PAN display restrictions under Requirement 3.4.1?