In a recent question to the PCI DSS Guru, Gareth asked:

We have a secure web page that is server out from a secure PCI server. Can this be served out in a new browser window or embedded as a frame? Does the URL need to be displayed to prove it is secure (e.g. https://….)?

That’s a good question, Gareth. The PCI DSS standard doesn’t speak to whether your webpage must be “obviously secure” to your customers. If the server publishing the page is operating within the confines of the standard and you are following the encryption requirements of PCI DSS Section 4.1, you are probably in good shape as far as the regulation goes.

That said, you should also think about this from a marketing perspective.

(continue reading…)

David recently asked the PCI DSS Guru about the use of VLANs in a PCI DSS cardholder data environment. Here’s his question:

Are network switches in the Cardholder Data Environment in scope for PCI DSS? We are having trouble with this one. We have a vlan that run campus wide that transmits card data back to our servers. Are all the switches that carry this vlan in scope? If so how can we test changes to this network. We can’t afford another network infrustructure just for PCI. Any guidance you can provide would be great. Also, keep up the good work with your site. Its very helpful to newbs like me.

That’s a great question, David, and it’s the subject of a lot of debate within the PCI DSS community.

(continue reading…)

A reader recently submitted the following question to Ask PCI DSS Guru:

“A corporate service organization stores, processes, or transmits cardholder data on behalf of different departments. Each department is a merchant and there are thirty merchants . Is the corporate service organization a Service Provider under PCI even [if] it is internal?”

We saw this question arise about three years ago for a large institution (having just over 40 merchant accounts and over a dozen payment systems).  We maintained (and the institution’s acquiring bank agreed) that because the merchant accounts belonged to a single entity the services provided by that entity to its internal constituents did not make that organization a service provider.

Obviously, all of those merchant accounts were still in scope for PCI DSS and each system had to be certified compliant.  Here is another post that elaborates on the definition of a service provider under PCI.

A reader recently submitted the following question to Ask PCI DSS Guru:

“When will merchants be contacted with the questionnaire for compliance? I have had card processing for 8 years and have never been contacted previously.”

(continue reading…)