> Justin, I don't think that would work though, depending on the level of > compliance and the SAQ being completed I don't think any vendor will > allow that exemption regardless of if credit card information is visible or > not. If an attacker is allowed any access to a user session and can > harvest any personally identifiable information it could affect security > of any credit card entered into the site.
Perhaps, though you'd be surprised what they will sign off on with proper compensating controls in place. It can't hurt to ask, in any case. Ultimately, my advice in this situation is to isolate the billing system so that the rest of the system isn't in scope for compliance. Trying to find a "quick fix" when it comes to PCI compliance is just asking for problems. -Justin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350262 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
