Hi there,
For PCI SAQ forms, you should answer as much as you can to the best
of your ability in relation only to the cardholder data environment
(this would include any systems that can access or store that data)
Like Chris mentioned, you need to determine what the scope is. Are
you "redirecting" customers to the payment gateway where they enter
the card number into the Authorize.net site? Or does your application
take in the card number, and then simply send that data to the
payment gateway?
If an end-user is entering any credit card information into any forms
hosted on your server - that credit card data is touching your server
(generally in RAM, or Temp files even)
If that data is going to a cloud provider somewhere before it gets to
Authorize.net, then you have to do your due diligence and ensure they
are PCI compliant as required by the PCI Standards.
If this sparks more questions, let me know,
Alicia Smith
Senior Security Engineer
FireHost, Inc.
On 9/15/2014 at 8:41 AM, "Chris Manly" wrote:We're tackling similar
issues of the new PCI-DSS rules. They've changed,
and it now gets a little tricker to understand whether your system is
"in
scope" or not, even if you have an external processor.
As I understand it, if you host your own shopping cart but then hand
off
to an external processor, your system is now "in scope" where by the
old
rules it would have been out of scope. (The reason being if you
system
gets compromised, the comp'd shopping cart could be used to redirect
to a
bogus payment processor that was capturing card data.)
You might want to talk with your bank about getting advice on whether
your
system is in scope or not, and if so, whether you're in compliance.
--
Christopher Manly
Coordinator, Library Systems
Cornell University Library Information Technologies
[email protected]
607-255-3344
On 9/15/14, 8:20 AM, "Roy McMorran" wrote:
>Hello all,
>
>I recall seeing some discussions of PCI issues on the list and I'm
>hoping someone might have some clues for me. I work at a small
>non-profit. We use a payment processor (Authorize.net) in
conjunction
>with Wufoo forms to accept payments online for various types of
>transactions. No payment card data ever touches our systems.
>
>Now recently we received an online questionnaire from "ControlScan".
>Our bank tells us it is legitimate (I was suspicious, as every third
>page tries to sell us something, but anyway...). Within the first
few
>questions we were able to assert that we never touch payment card
data.
>Nevertheless, as we got further into the (very long) survey we were
>asked lots of questions about our network infrastructure, firewalls,
>IDS, wifi and antivirus policies, even scanning our network... lots
of
>things that seem more appropriate for (say) Authorize.net than for
our
>pokey little shop. It really left me wondering if we had been sent
the
>wrong survey. Anyway I guess I'm just looking for a sanity check
before
>we finish and submit this. Any thoughts?
>
>Thanks much!
>Roy
>_______________________________________________
>Discuss mailing list
>[email protected]
>https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>This list provided by the League of Professional System
Administrators
> http://lopsa.org/
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
