DrupalSecurityTeam / drupalpcicompliance

Official github repo for the Drupal PCI compliance white paper.
http://drupalpcicompliance.org
Other
55 stars 15 forks source link

SAQ C not for e-commerce channels? #24

Closed crazymonk closed 10 years ago

crazymonk commented 10 years ago

The whitepaper mentions that SAQ C is an option for situations where card numbers are posted to Drupal, but PCI DSS v3.0 states clearly that SAQ C is not applicable to e-commerce channels: https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf

"C: Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels"

So my understanding is that those would have to use SAQ D, not C. This language wasn't in v2.0 so it looks like it's either new or they're just clarifying something that's been true in the past.

-marco

rickmanelius commented 10 years ago

Hi Crazymonk. You are correct. And thankfully this was also already caught by one of the co-authors. https://github.com/rickmanelius/drupalpcicompliance/pull/23#discussion-diff-13545696. The importance of this is huge, and further underscores the importance of using shared-management solutions against the even more costly SAQ D scenario.

crazymonk commented 10 years ago

Ah yep I see the comment on that commit. Thanks!