Wednesday, July 30, 2014

yet more PCI notes

  • This touches on the distinction between SAQ A and SAQ A-EP standards for PCI 3.0 compliance.
  • A QSA is a Quality Security Assessor. These individuals do the actual audits. Typically credit card companies themselves send the QSAs out and pressure others to get audited. Given the legal nature of PCI, the government certainly does not enforce it and the go live of PCI 3.0 on the first day of 2015 can't really mean anything in terms of new national law. The date and the standard that comes with it are all just the trappings of industry standardization.
  • This suggests that the magnetic strip on a credit card holds the cardholder's name, the card number, the expiration date, and the CVV, but not the zip code. Addendum 8/8/2014: My superior mentioned that the magnetic strip does NOT contain the CVV and instead has a different code that it uses. I suppose I do not know what is true.

Addendum 12/1/2014: A coworker found https://www.pcicomplianceguide.org/saq-a-vs-a-ep-what-e-commerce-merchants-service-providers-need-to-know-now/ which has yet more on SAQ A versus SAQ A-EP.

No comments:

Post a Comment