|
A local Y is having a hard time filling out a PCI survey.
Virtually everything except for local document editing (MS Office...) is
externally web hosted by a 3rd party. Their plain Jane web site is
hosted by another commercial hosting company. And ADP is their
payroll/time card web site. Even before they switched to web based I put
them behind a business class firewall. :-)
The survey is asking for their IP/Subnet, load balancer configuration
and approval to have their domain, IP and network blocks scanned. I can
see having their IP scanned since they connect FROM it to the 3rd party
site to enter credit cards into the database and initiate transaction
that are handled by the 3rd party's servers. The domain (external web
hosting using Drupal) only has links to the 3rd party's site for
customers to perform selected functions.
I contend that the 3rd party's Domain, load balancers and IP/Subnet
should be included as that is where the credit card information is
stored and all transactions originate from. However, the 3rd party
contends they have nothing to do with the PCI survey and the Y is the
only thing covered by the survey.
They should pass this step. If nothing else I would like to see the 3rd
party receive the same PCI scrutiny to protect the Y.
Is this normal or is there some form missing to let the Credit Card
auditors know that they need to be looking wider then just the local Y?
Don't 3rd party handlers of credit card information directly full under
PCI instead under their customers without any direct control?
Roger Vicker, CCP
--
*** Vicker Programming and Service *** Have bits will byte ***
www.vicker.com ***
A learned fool is more foolish than an ignorant fool.
--
This is the PC Technical Discussion for iSeries Users (PcTech) mailing list
To post a message email: PcTech@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/pctech
or email: PcTech-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/pctech.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.