Tom - are you sure the "Y" (A) does not need to have their network audited if their local pc's are used to take the card information and the keyboard, a possible swipe, and local pc's are used to communicate to "C".
I was sure the PCI audit covers more than the storage of data, but also the entry points of that data.
Jim Franz

----- Original Message ----- From: "Tom Jedrzejewicz" <tomjedrz@xxxxxxxxxxxxxx>
To: "PC Technical Discussion for iSeries Users" <pctech@xxxxxxxxxxxx>
Sent: Wednesday, December 16, 2009 11:28 PM
Subject: Re: [PCTECH] PCI audit and 3rd Party hosted software.


On Wed, Dec 16, 2009 at 8:06 PM, Roger Vicker, CCP <rv-tech@xxxxxxxxxx>wrote:

Tom,

Actually A and C are the same company. Unless by "shared files" you mean
the MS Office type documents which are on the Y's local server. Or,
unless you mean C is the company that gives the merchant account. A/C
has their own web site that the Y users do all their business work through.


Using my definitions .. the Y itself is A. They don't need to submit their
network for the audit unless they have transaction or cardholder info on
their server. But getting the auditor to believe that no cardholder info
ends up stored locally is a long putt. And don't forget about email ..
almost certainly this data ends up in email somehow.


And yes A/C is the one that is saying "not us" but they are the biggest
target of attackers as they store the credit card information and
transmit them to the credit card network upon instructions from the Y.


The Y needs to give C an ultimatum .. demonstrate PCI compliance or lose the
Y as a customer. If they can't, the Y is taking a huge risk having them
handle member credit cards! If C has as their own audit demonstrating PCI
compliance, that should be sufficient for the Y auditors.

BTW .. out of curiosity how are you involved in this? I hope that you are
billing them your highest rate for the time and effort.

---------
Tom Jedrzejewicz
tomjedrz@xxxxxxxxxxxxxx
--
This is the PC Technical Discussion for iSeries Users (PcTech) mailing list
To post a message email: PcTech@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/pctech.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.