Hi All,

We ended up getting some assistance with the process from ControlScan support. They were really helpful. It turns out that one of our early answers in the online questionnaire had sent us off into SAQ D land, which wasn't really appropriate for our situation (as I suspected). After some clarification we were able to use SAQ B, and those questions made a LOT more sense. I think we're in good shape now.

Thanks again for the help and the sanity check!
Roy

On 9/16/14, 10:03 AM, Roy McMorran wrote:
Thank you Chris, Mark, and Alicia for your thoughtful replies.

To clarify, Wufoo.com hosts the 'forms' which are typically a donation or course/event registration page. In order to submit payment, Wufoo redirects to a page hosted by Authorize.net. It is on that page where a customer would enter payment information. Payment card data certainly never touches our web server, and (according to Wufoo) never touches Wufoo's servers either. So I *think* our infrastructure is out of scope.

We are planning a call with our merchant services provider in the near future, and if anything interesting comes of that I will follow up.

Thanks again and best wishes,
Roy

On 9/15/14, 8:09 PM, phro...@nym.hush.com wrote:
Hi there,

For PCI SAQ forms, you should answer as much as you can to the best of your ability in relation only to the cardholder data environment (this would include any systems that can access or store that data) Like Chris mentioned, you need to determine what the scope is. Are you "redirecting" customers to the payment gateway where they enter the card number into the Authorize.net site? Or does your application take in the card number, and then simply send that data to the payment gateway? If an end-user is entering any credit card information into any forms hosted on your server - that credit card data is touching your server (generally in RAM, or Temp files even)

If that data is going to a cloud provider somewhere before it gets to Authorize.net, then you have to do your due diligence and ensure they are PCI compliant as required by the PCI Standards.

If this sparks more questions, let me know,

Alicia Smith
Senior Security Engineer
FireHost, Inc.


On 9/15/2014 at 8:41 AM, "Chris Manly" <c...@cornell.edu> wrote:

    We're tackling similar issues of the new PCI-DSS rules. They've
    changed,
    and it now gets a little tricker to understand whether your
    system is "in
    scope" or not, even if you have an external processor.

    As I understand it, if you host your own shopping cart but then
    hand off
    to an external processor, your system is now "in scope" where by
    the old
    rules it would have been out of scope. (The reason being if you
    system
    gets compromised, the comp'd shopping cart could be used to
    redirect to a
    bogus payment processor that was capturing card data.)

    You might want to talk with your bank about getting advice on
    whether your
    system is in scope or not, and if so, whether you're in compliance.

-- Christopher Manly
    Coordinator, Library Systems
    Cornell University Library Information Technologies
    c...@cornell.edu
    607-255-3344





    On 9/15/14, 8:20 AM, "Roy McMorran" <mcmor...@barncrew.com> wrote:

    >Hello all,
    >
    >I recall seeing some discussions of PCI issues on the list and I'm
    >hoping someone might have some clues for me. I work at a small
    >non-profit. We use a payment processor (Authorize.net) in
    conjunction
    >with Wufoo forms to accept payments online for various types of
    >transactions. No payment card data ever touches our systems.
    >
    >Now recently we received an online questionnaire from "ControlScan".
    >Our bank tells us it is legitimate (I was suspicious, as every third
    >page tries to sell us something, but anyway...). Within the
    first few
    >questions we were able to assert that we never touch payment
    card data.
    >Nevertheless, as we got further into the (very long) survey we were
    >asked lots of questions about our network infrastructure, firewalls,
    >IDS, wifi and antivirus policies, even scanning our network...
    lots of
    >things that seem more appropriate for (say) Authorize.net than
    for our
    >pokey little shop. It really left me wondering if we had been
    sent the
    >wrong survey. Anyway I guess I'm just looking for a sanity check
    before
    >we finish and submit this. Any thoughts?
    >
    >Thanks much!
    >Roy
    >_______________________________________________
    >Discuss mailing list
    >Discuss@lists.lopsa.org
    >https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
    >This list provided by the League of Professional System
    Administrators
    > http://lopsa.org/

    _______________________________________________
    Discuss mailing list
    Discuss@lists.lopsa.org
    https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
    This list provided by the League of Professional System
    Administrators
    http://lopsa.org/



--
Roy McMorran
Bar Harbor, ME



_______________________________________________
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
  http://lopsa.org/


--
Roy McMorran
Bar Harbor, ME

_______________________________________________
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Reply via email to