Slightly Off Topic ...
 
Notifications
Clear all

Slightly Off Topic - PCI/DSS

3 Posts
2 Users
0 Likes
236 Views
azrael
(@azrael)
Posts: 656
Honorable Member
Topic starter
 

Hullo Everyone -)

I realise that this is slightly off topic, but is there anyone out there who knows _a lot_ about PCI/DSS and what the obligations are for compliance ?

E.g. If an organisation uses a third party (WorldPay) for example for processing credit/debit cards online, and stores none itself _on computer_, are they obliged to meet PCI standards on the network ?

If that same organisation processes cards in shops, but records no details on computer, just protects the receipt slips physically, are they obliged to conform to the network portions of the requirements ?

I appriciate the help.

Thanks,

Azrael

 
Posted : 07/07/2009 3:28 pm
(@douglasbrush)
Posts: 812
Prominent Member
 

There are a few PCI Compliance websites out there that detail requirements

http//www.pcicomplianceguide.org/merchants-20071022-gaining-pci-compliance.php

https://www.pcisecuritystandards.org/

If an organization uses a third party (WorldPay) for example for processing credit/debit cards online, and stores none itself _on computer_, are they obliged to meet PCI standards on the network ?

PCI Compliance defines that
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).

So if there is collection and transmission of CC and customer data than yes.

If that same organization processes cards in shops, but records no details on computer, just protects the receipt slips physically, are they obliged to conform to the network portions of the requirements ?

Again, the requirement states
Any paper receipts stored by merchants must adhere to the PCI DSS, especially requirement 9 regarding physical security.

 
Posted : 07/07/2009 4:14 pm
azrael
(@azrael)
Posts: 656
Honorable Member
Topic starter
 

Douglas,

Thanks for that. I assume then that the security requirements are limited to the part of the organisation that actually does the transmission - in this case, the website is held at a third party ISP, and the information never makes it inside the remainder of the network ( the segregation requirement - I believe ) and the physical security of the shops is distinct from the physical security of the head office as head office never holds receipts …

I really appriciate your time.

Thanks,

Azrael

 
Posted : 07/07/2009 4:36 pm
Share: