On Sun, Feb 20, 2011 at 6:58 PM, Ian Forde <ianforde at gmail.com> wrote: > On Fri, 2011-02-18 at 15:09 -0500, Michael B Allen wrote: >> Are you talking about the SAQC? I run all CC transactions through one >> CentOS VPS webserver (actually I have two servers that I periodically >> wipe out and alternate between every year or two). So I don't have POS >> terminals or any Windows PCs in the mix. We don't save any card holder >> data at all. So my SAQC was a breeze. I just had to add N/A for >> questions like the "do you run anti-virus software" and explain that >> everything goes through the one Linux machine for which no anti-virus >> software exists or is necessary. > > You're going to want to go to www.pcisecuritystandards.org for the full > scoop. I'd advise you to have your counsel examine the PCI DSS > documents. IANAL, but I recall from version 2.0 of the doc found at > https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf > (click-through agreement required) that, and I quote from page 7: "PCI > DSS applies wherever account data is stored, processed or transmitted". > > So it's not about saving data per se. Just the act of having it > transmitted to your systems may (again, IANAL) make PCI DSS apply. Hi Ian, Right. But a lot of the questions in the SAQC are like "9.7.a Is strict control maintained over the internal or external distribution of any kind of media that contains cardholder data?". But if you don't save cardholder data, this simply does not apply to me. I think a lot of retailers probably have many employees using PCs to look at transaction details like names, the last 4 digits of the card number and so on. In this case, the methods for doing so need to be secured and the PCs being used need anti-virus updated regularly, etc. Since my webserver only sees CC data for the few seconds it takes for Authorize.Net to respond to the POST to their server, none of section 9 does even applies. If you're a retailer with 10 stores and 30 POS terminals, yeah, PCI compliance is a bigger job. If my CC transactions go through one webserver and no data is stored, I don't suspect this will be too difficult to handle myself. Although I'm not compliant yet. We'll see. I have to pass the scan first and right now it's complaining about things like SMTP listening on 2525, ssl cipher strength and blah, blah, blah. Presumably I just have to go through each and explain that something was backported, that running on 2525 is quite deliberate and fix things like permitted ciphers. Mike