Hi All,
We ended up getting some assistance with the process from ControlScan
support. They were really helpful. It turns out that one of our early
answers in the online questionnaire had sent us off into SAQ D land,
which wasn't really appropriate for our situation (as I suspected).
After some clarification we were able to use SAQ B, and those questions
made a LOT more sense. I think we're in good shape now.
Thanks again for the help and the sanity check!
Roy
On 9/16/14, 10:03 AM, Roy McMorran wrote:
Thank you Chris, Mark, and Alicia for your thoughtful replies.
To clarify, Wufoo.com hosts the 'forms' which are typically a donation
or course/event registration page. In order to submit payment, Wufoo
redirects to a page hosted by Authorize.net. It is on that page where
a customer would enter payment information. Payment card data
certainly never touches our web server, and (according to Wufoo) never
touches Wufoo's servers either. So I *think* our infrastructure is
out of scope.
We are planning a call with our merchant services provider in the near
future, and if anything interesting comes of that I will follow up.
Thanks again and best wishes,
Roy
On 9/15/14, 8:09 PM, phro...@nym.hush.com wrote:
Hi there,
For PCI SAQ forms, you should answer as much as you can to the best
of your ability in relation only to the cardholder data environment
(this would include any systems that can access or store that data)
Like Chris mentioned, you need to determine what the scope is. Are
you "redirecting" customers to the payment gateway where they enter
the card number into the Authorize.net site? Or does your application
take in the card number, and then simply send that data to the
payment gateway?
If an end-user is entering any credit card information into any forms
hosted on your server - that credit card data is touching your server
(generally in RAM, or Temp files even)
If that data is going to a cloud provider somewhere before it gets to
Authorize.net, then you have to do your due diligence and ensure they
are PCI compliant as required by the PCI Standards.
If this sparks more questions, let me know,
Alicia Smith
Senior Security Engineer
FireHost, Inc.
On 9/15/2014 at 8:41 AM, "Chris Manly" <c...@cornell.edu> wrote:
We're tackling similar issues of the new PCI-DSS rules. They've
changed,
and it now gets a little tricker to understand whether your
system is "in
scope" or not, even if you have an external processor.
As I understand it, if you host your own shopping cart but then
hand off
to an external processor, your system is now "in scope" where by
the old
rules it would have been out of scope. (The reason being if you
system
gets compromised, the comp'd shopping cart could be used to
redirect to a
bogus payment processor that was capturing card data.)
You might want to talk with your bank about getting advice on
whether your
system is in scope or not, and if so, whether you're in compliance.
--
Christopher Manly
Coordinator, Library Systems
Cornell University Library Information Technologies
c...@cornell.edu
607-255-3344
On 9/15/14, 8:20 AM, "Roy McMorran" <mcmor...@barncrew.com> wrote:
>Hello all,
>
>I recall seeing some discussions of PCI issues on the list and I'm
>hoping someone might have some clues for me. I work at a small
>non-profit. We use a payment processor (Authorize.net) in
conjunction
>with Wufoo forms to accept payments online for various types of
>transactions. No payment card data ever touches our systems.
>
>Now recently we received an online questionnaire from "ControlScan".
>Our bank tells us it is legitimate (I was suspicious, as every third
>page tries to sell us something, but anyway...). Within the
first few
>questions we were able to assert that we never touch payment
card data.
>Nevertheless, as we got further into the (very long) survey we were
>asked lots of questions about our network infrastructure, firewalls,
>IDS, wifi and antivirus policies, even scanning our network...
lots of
>things that seem more appropriate for (say) Authorize.net than
for our
>pokey little shop. It really left me wondering if we had been
sent the
>wrong survey. Anyway I guess I'm just looking for a sanity check
before
>we finish and submit this. Any thoughts?
>
>Thanks much!
>Roy
>_______________________________________________
>Discuss mailing list
>Discuss@lists.lopsa.org
>https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
>This list provided by the League of Professional System
Administrators
> http://lopsa.org/
_______________________________________________
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System
Administrators
http://lopsa.org/
--
Roy McMorran
Bar Harbor, ME
_______________________________________________
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
--
Roy McMorran
Bar Harbor, ME
_______________________________________________
Discuss mailing list
Discuss@lists.lopsa.org
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/