Is it PCI-compliant to serve images (securely) from not just a different subdomain, but a different domain?

Question

Is it PCI-compliant to serve images (securely) from a different domain? I searched the PCI DSS 2.0 PDF and didn't find any references to it.

score 2 · Accepted Answer · answered Feb 22 '11 at 18:54

2

Images do not fall under PCI compliance. PCI DSS covers the storing, transmission, and processing of credit card information only. So you can serve your images from any server you like without having any PCI issues.

answered Feb 22 '11 at 18:54

John Conde

217,595
99
455
496

score -1 · Answer 2 · answered Jul 08 '11 at 19:19

-1

I take it these images are going to appear on the same page as the credit card entry form? If so as long as they are rendered over SSL, then they cannot be hijacked and additional code rendered in their place.

I would say that it would aid in your compliance to have the images served via SSL regardless of the domain due to the fact that your payment page must be presented in SSL to the end user.

answered Jul 08 '11 at 19:19

Salvatore F. Iozzia

51
6

I wasn't the downvote here, but your statement isn't really true. SSL secures the images in transit and makes sure that their contents cannot be snooped on by machines between the server and the client. It is entirely possible to compromise the webserver serving the images, any proxy caches in between, the user's cache, etc. Any of those would allow an attacker to choose an image to render. The risks of such an attack are probably lower than attacking scripts on the same page, but I just wanted to make clear that SSL does /not/ protect you from hacking, just from leaking data in transit. – Joe Mastey Jul 09 '11 at 12:17

Is it PCI-compliant to serve images (securely) from not just a different subdomain, but a different domain?

2 Answers2