We're tackling similar issues of the new PCI-DSS rules. They've changed, and it now gets a little tricker to understand whether your system is "in scope" or not, even if you have an external processor.
As I understand it, if you host your own shopping cart but then hand off to an external processor, your system is now "in scope" where by the old rules it would have been out of scope. (The reason being if you system gets compromised, the comp'd shopping cart could be used to redirect to a bogus payment processor that was capturing card data.) You might want to talk with your bank about getting advice on whether your system is in scope or not, and if so, whether you're in compliance. -- Christopher Manly Coordinator, Library Systems Cornell University Library Information Technologies [email protected] 607-255-3344 On 9/15/14, 8:20 AM, "Roy McMorran" <[email protected]> wrote: >Hello all, > >I recall seeing some discussions of PCI issues on the list and I'm >hoping someone might have some clues for me. I work at a small >non-profit. We use a payment processor (Authorize.net) in conjunction >with Wufoo forms to accept payments online for various types of >transactions. No payment card data ever touches our systems. > >Now recently we received an online questionnaire from "ControlScan". >Our bank tells us it is legitimate (I was suspicious, as every third >page tries to sell us something, but anyway...). Within the first few >questions we were able to assert that we never touch payment card data. >Nevertheless, as we got further into the (very long) survey we were >asked lots of questions about our network infrastructure, firewalls, >IDS, wifi and antivirus policies, even scanning our network... lots of >things that seem more appropriate for (say) Authorize.net than for our >pokey little shop. It really left me wondering if we had been sent the >wrong survey. Anyway I guess I'm just looking for a sanity check before >we finish and submit this. Any thoughts? > >Thanks much! >Roy >_______________________________________________ >Discuss mailing list >[email protected] >https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss >This list provided by the League of Professional System Administrators > http://lopsa.org/ _______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
