Sorry for the short answer but YES. They need to comply with ALL the PCI-DSS requirements. When they sign the AOC they are stating that they meet ALL requirements of the DSS.
Sent from my iPhone On Apr 11, 2013, at 4:04 PM, Jeff h <[email protected]> wrote: > I have a question I hope someone can answer regarding PCI. We have a vender > that we use that hosts an application. The vender says they are a Level 4 > merchant and use a third party for all credit card transactions. So they > would have to fill out a SAQ C and have an external scan by an approved > vender. > > Do they still have to abide by all PCI DSS requirements even if they are not > spelled out in SAQ C, such as password length, reuse, and expiration? > > The vender has a document they describe their security controls and they do > not even meet PCI DSS already lax standard of at least 7 character passwords. > They claim that since they are level 4 they don't need to. > > My understanding was all requirements still apply even if it dosen't go > through every single requirement in SAQ C they still have to check the box > that says "I have read the PCI DSS and I recognize that I must maintain full > PCI DSS compliance at all times" > > So who is correct? > > Thanks, > Jeff > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
