Hey networking friends,
I was hired into a position to increase network security and the main focus is to become PCI compliant. I've been doing countless research on it as a whole but it seems a lot of the information I'm seeing is more high-level, without much to do with specific cases. Do I have to speak with a QSA/Security/Compliance consultant to get my specific questions answered?
My main question is regarding the scope of PCI compliance. The way we take all payments(and "saved" credit card info) is outsourced ENTIRELY to a third party company, who is PCI compliant themselves. What does this mean for our requirements? The way it works is that a token is created(well, three over the course of the transaction) and sent to the vendor, who matches it with their token, and they send it off that matches another and completes the transaction. Since we don't truly handle actual credit card numbers, are we really in the scope of needing to be PCI compliant? If we still are, would the requirements be lower?
Any resources/forums/articles/case studies would be appreciated :) Or even PCI Consulting services.
Thanks!
No comments:
Post a Comment