Except that where subject to an order under 317j to conceal the existence of a TCN/TAN forms part of the terms.
In those situations, there can be no "warrant canary". An auditor has no way of knowing if such a direction exists, and someone reading a Report of Compliance has no way of knowing if such a direction exists. Consequently every PCI compliance becomes suspect, and consequently the whole PCI compliance regime is systematically weakened. Kind regards Paul Wilkins On Mon, 22 Oct 2018 at 13:04, Christian Heinrich < christian.heinr...@cmlh.id.au> wrote: > Paul, > > On Mon, Oct 22, 2018 at 11:32 AM Paul Wilkins <paulwilkins...@gmail.com> > wrote: > > I suppose auditors can qualify any report that mandated TCNs/TANs are > excepted, but are you then "PCI Compliant"? > > Not possible as this would be separate from the Cardholder Data > Environment (CDE) and the encryption of "data in transit" is PCI-DSS > Requirement 4.1.c. > > If the definition of the CDE were to change in the future then a > "warrant canary" would signify this within the "Report on Compliance" > (RoC) or "Self Assessment Questionnaire" (SAQ). > > > -- > Regards, > Christian Heinrich > > http://cmlh.id.au/contact >
_______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net http://lists.ausnog.net/mailman/listinfo/ausnog
