0

Which requirements I am oblige to fulfil as self assessment part , as web-developer for eCommerce application. I have lots of SAQ,s (self-assessment-questionnaires) as part of PCI DSS.

What should be scope of concern throughout the development life-cycle.

  • Development
  • Testing
  • Deployment
  • Any other aspect you might think ?

Is there any open source tool to support this process (assessment and tracking) etc ?

Alex K.
  • 171,639
  • 30
  • 264
  • 288
sakhunzai
  • 13,900
  • 23
  • 98
  • 159
  • The correct SAQ depends on what you are actually doing with card details, which we don't know. [Understanding_SAQs_PCI_DSS_v3.pdf](https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf) – Alex K. Dec 04 '15 at 11:35
  • Actually that is the puzzle , I am currently not storing the card holder data/security tokens in my application. – sakhunzai Dec 04 '15 at 11:41
  • PCI applies if you *store, **process or transmit*** details – Alex K. Dec 04 '15 at 11:42
  • @AlexK. thanks I got the list https://www.pcisecuritystandards.org/documents/Understanding_SAQs_PCI_DSS_v3.pdf – sakhunzai Dec 04 '15 at 11:44
  • I think only transmit for processing :) – sakhunzai Dec 04 '15 at 11:45

1 Answers1

3

Only an QSA can give you an official answer but I can give you some ideas.

How is the web app being used? This will help determine your scope:

  • Is it only for your own use? The best scenario is to use an iFrame or full page direct from a PCI compliant provider (generally the payment gateway), this could be SAQ A. If you need to do a direct post (i.e. the credit card details never touch your server) then you may be able to use SAQ A-EP. If the credit card number touches your server then it's SAQ D. Aim for SAQ A it'll save you a big headache.
  • Do you provide it for clients to use in their own systems where they have control over the code or servers? Take a look at PA-DSS.
  • Do you offer it as a service to clients where they have no control of the system? Then you'd need SAQ D service provider.

Take a look at requirement 6 to get an idea of what is need for the SDLC.

Tools-wise there's the PCI scoping toolkit, i'm not sure that's what you're asking for though.

Richard
  • 1,298
  • 6
  • 17
  • 27