• How many written security policies are required for 3.2 PCI compliance?

    Hi,   I apologize if this is a bit of a newbie question but I want to ask so I'm fully up to speed.   I've been going through the PCI DSS 3.2 requirements with the explicit purpose of trying to determine j...
    last modified by wdgreen340
  • IPS/IDS PCI profile

    Hello folks, Has anyone ever worked/used/designed a PCI profile for a Intrusion prevention/detection system ?   One of my client requested to come up with an IPS profile tailored for PCI, which they can deploy. ...
    created by ramware
  • PCI Compliance for Chat/Messaging platform

    Hi, I have a question regarding PCI Compliance. the company I work for has built a platform that enables enterprises to use messaging solutions (whatsapp, facebook messenger, etc.) straight from their CRM system. Our...
    created by m.jilderda
  • How does a Level 1 Service Provider get listed in the VISA Global Registry?

    After successfully completing our 1st Level 1 PCI DSS assessment by a registered QSA firm I have been tasked with getting our company listed on the VISA Global Registry of Service Providers. I was provided a lot of va...
    last modified by kiles@tdstickets.com
  • Multiple Redundant Routers vs. 1.3.5 Permit Only "Established" Connections

    So I'm looking at requirement 1.3.5 from PCI-DSS v3.2, which requests blocking connections that are not "established," with the suggestion that one uses stateful packet filtering to do this.   As phrased it's ki...
    last modified by cjs@omise.co
  • On the Use of Third-Party Service Providers & Outsourcing

    Recently a question was raised on another discussion site about whether or not third parties that do not directly have access to payment card data need to be PCI compliant and/or register with any of the card brands. ...
    last modified by jman
  • Noob Logging Question.

    I'm hoping that this is an easy one.   We use a cloud ERP CRM soltion and only take credit card information over the phone. We do not store any card information on our single site at all. We have no POS either. ...
    last modified by nick.ramm@nu-heat.co.uk
  • What is the difference between a standard scan policy and a PCI scan policy?

    Not new to this; however when comparing the results of a PCI scan and a standard scan, it looks like the only real difference is that PCI bundles some of the findings and grades the scan differently.  Any links o...
    last modified by yehudahgriffin
  • 8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.

    Hello, Wanted to get some clarification of PCI Requirement 8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.   Our entire env...
    last modified by jkowal99
  • P-Cards / Single Use Ghost Account (SUGA)

    Hello Jeff,   Are P-Cards and SUGA considered "credit cards" ...  meaning do they need the same PCI-DSS protection as credit cards?   Our situation.  We are currently using PCI-DSS checklist A an...
    last modified by bryanray
  • How "infectious" is a website that uses transparent posts to transfer CHD to a third-party processor?

    Background: Say merchant website includes a reference to a third-party service provider's javascript, that constructs a form to post cardholder data directly back to the third-party service provider (so CHD is never p...
    last modified by chef
  • what is tenable network security all about?

    Trying to get a hang of the services that it offers. Anyone has information on this?   Thanks Mike
    last modified by mike96
  • PCI-DSS Checklist

    We have recently been using PCI-DSS checklist A since our credit card processing was fully outsourced. The payment page was delivered from Authorize.net to the customer’s browser in an iFrame, and we were not i...
    last modified by bryanray
  • NTP Servers

    I saw a similar NTP question, but mine is slightly different enough to open a thread.   Is it possible to have AD servers sync with an NTP server, but other systems in the CDE sync to the AD servers, and not the...
    last modified by jabronow3
  • PCI DSS Audit File

    Hi All,   I'm rookie and just a quick question for you   When I trying to create new PCI or CIS audit file, there are some mandatory field under "Compliance Checks" which i not really understand.   C...
    last modified by gkengkok
  • PCI DSS Scope for Malware Scan

    Hello!   PCI DSS Requirement 5.1.2 states "For systems considered to be not commonly affected by malicious software, perform periodic evaluations to identify and evaluate evolving malware threats in order to con...
    last modified by okazymyrov@gmail.com
  • Internal scanner in CDE managed by SC outside CDE - scope issue?

    Does having a SC-managed scanner in the PCI CDE zone, used to perform internal scans of the CDE, have an impact on scope? Data from this scanner gets stored in a separate org with restricted access.
    last modified by stmyers@kayak.com
  • Wireless with Guest and Corporate Network

    There are a few scenarios I'd like to get your opinion on if they would pass PCI or not.     1. PCI network is fully wireless, but Guest wifi is running on same AP (No separate circuit)   2. PCI netwo...
    last modified by jabronow3
  • SHA-1 Depreciation

    With SHA-1 being depreciated, what does this mean from a PCI perspective? SSL/TLS has been extended, so does that mean SHA-1 can still be used? ASV's mention scans will auto fail if it finds a plugin with weak hashing...
    last modified by jabronow3
  • Looking for some feedback on my PCI Exam

    I just completed my exam to become an ASV’s and I didn’t pass.  In my final conference call, very little detail was given on why I failed my exam but here are some of the reasons:   - Failed to ...
    last modified by marc.brejcha