An acronym for Payment Card Industry (PCI) Data Security Standard (DSS). A set of rules and policies for protecting information related to card based financial instruments.
Questions tagged [pci-dss]
680 questions
107
votes
5 answers
Being told my "network" isn't PCI compliant. I don't even have a server! Do I have to comply?
We are a brick and mortar company... literally. We are brick masons. At our office we connect to the internet through our cable modem provided to us by Spectrum Business.
Our Treasurer uses a Verifone vx520 card reader to process credit card…
user3512967
- 793
- 2
- 5
- 6
42
votes
4 answers
How to store credit card information for repeated transactions and still be PCI compliant?
I'm overhauling our absolute time-bomb of an order processing system that would put us out of business tomorrow were we audited for PCI compliance. It's so amateur it's scary.
I'm planning on making a case to the higher-ups that the liabilities of…
Ivan
- 6,338
- 3
- 20
- 22
27
votes
2 answers
Does storing bank account-routing number combinations fall under PCI DSS Level 1 compliance rules?
I've looked at a number of question/answer threads and docs about PCI compliance, including various results on Google and have not found a definitive answer to this question:
Does a web app fall under PCI compliance rules/regs if it collects the…
zealoushacker
- 373
- 1
- 3
- 5
11
votes
4 answers
PCI restrictions on using using (hashed) credit card number to identify a repeat customer?
Question for any PCI experts out there:
Airport ticket kiosks can use your credit card to find your reservation at checkin time. So clearly PCI must allow use of credit card numbers to identify customers. I assume the airline is storing an…
Justin Grant
- 211
- 2
- 5
11
votes
3 answers
PCI Audit: Using "test" cards
I know that the PCI standard does not allow you to use real credit card numbers on test systems. Visa, Mastercard and Amex supply a list of "test" cards to use. Makes perfect sense, and we have been doing that.
Now, once everything is setup in…
E Green
9
votes
2 answers
Unsolicited credit card in email?
I work for an insurance company who will randomly (3-5 times per year) have a consumer who emails their credit card to our customer service department. We don't ask for the number, they just send it over to "expedite" their transaction.
From a…
Jack M.
- 193
- 5
8
votes
3 answers
A store I visited is breaching PCI DSS. What should I do?
I recently visited a store in Northern Ireland and paid using my Visa debit card. The receipt shows my entire card number and expiry date. It also contains other info. I thought this should all be crossed out as now they have a copy of my card…
Robert
- 81
- 1
7
votes
2 answers
PCI DSS and Memcached
If I store cardholder details (PAN, Expiry etc.) in a Memcached data bucket, is that something to worry about in terms of PCI DSS compliance?
Our database is in a data center and is encrypted. Our web server is also in this data center. If I cache…
Anthony
- 501
- 4
- 8
7
votes
3 answers
PCI compliance if not storing or transmitting credit card data
I have a networked product that we install on customer networks. The device is does not pass any of the CC data, but only sits on the same network (think Nest or Dropcam). The customer networks sometimes include a POS device. We never receive,…
Scott
- 173
- 1
- 6
7
votes
3 answers
A bit confused about PCI compliance
I have a client that wants me to build her a simple e-commerce site for her small quilt store. I'm going to use Stripe for the credit card handling. The only info I'm going to keep on my system is the user's name. Everything else will simply be…
Major Productions
- 215
- 1
- 6
6
votes
1 answer
Is Heroku PCI Compliant?
Obviously Heroku wants you to think they're PCI compliant by telling you "Heroku’s infrastructure provider is PCI Level 1 compliant" (AWS). https://www.heroku.com/policy/security
But since Heroku runs their own IaaS on top of that, wouldn't Heroku…
J K
- 221
- 1
- 5
6
votes
2 answers
What does the PCI-DSS statement "Store separately from the data encrypting key" mean?
As per the PCI-DSS 3.5.2 requirement
Encrypted with a key-encrypting key that is at least as strong as the data-encrypting key, and that is stored separately from the data encrypting key.
Does this mean:
Storing the keys(DEK and KEK) in different…
Chandrasekar Kesavan
- 235
- 3
- 7
6
votes
2 answers
Dual control / key encrypting key required?
I'm trying to get my head around 3.6.3 and 3.6.2 in the PCI-DSS standard, secure cryptographic key storage and distribution.
Would having two 256 bit key halves stored in separate, isolated locations which are XORed together to create the data…
Tim Brigham
- 3,782
- 3
- 30
- 36
6
votes
2 answers
How to submit credit card info to a separate server/website (PCI)
My company has a website/service that stores/processes credit cards and is PCI compliant (Site A). We also have websites with storefronts that need to submit credit card data to that site for processing (Site B). When someone orders something on…
mikemick
- 163
- 4
6
votes
2 answers
Are any and all software vendors who have stored credit card information in their databases subject to PCI-DSS or only some?
Is a commercial software vendor who sells software for use in the United States, subject to, or legally required to implement PCI-DSS if their software includes a feature which will allow the collection and storage of credit card information, but…
Warren P
- 163
- 4