On 9 April 2014 11:17, David Sommerseth <sl+us...@lists.topphemmelig.net>wrote:
> On 09/04/14 16:27, Paul Robert Marino wrote: > > No it was always required because the shopping cart itself may in some > > cases contain data which could possibly be used to gain access to > > sensitive customer data. Also in a sense data about who purchases what > > and where could also be used to mask credit card fraud by making the > > fraudulent charges look like the normal shopping activities of the > > card holder. > > Really!? I've been involved in a few PCI-DSS certification rounds for a > company which provided online payment services back in the days. > Granted that's some years ago now (2005 to 2008-ish). Even though our > scope was limited to only processing credit card information, we did not > see any requirements anywhere at that time for the shopping cart to be > PCI-DSS certified. > Any time you read "always" in certifications, it means that the original organization thought they had made it clear originally but instead it was intepreted completely differently by various auditors. Since PCI-DSS certification comes down a lot to what an auditor will go with.. any phrases with wiggle room or non-absolutely clear language (did we use MAY when we should have used WILL is the easiest one) then you end up with years of 'clean-up' where various things you got told were ok is not ok with either a different auditor or the next set of clarifications because someone stuck an OR in when they meant XOR or AND. So the authors go back and clear it up and say it meant to always be that way and people in the field go "WHA?" > -- Stephen J Smoogen.
