Hacker News new | ask | show | jobs
by zbruhnke 2571 days ago
FYI we are complying with PCI DSS when you use this site - you can read details in the FAQ
2 comments
snazz 2571 days ago
Do we have proof of that? I think the fact that we're taking your word for everything so far is the source of the discomfort here.
link
toomuchtodo 2571 days ago
Sort of humorous comment, as PCI DSS is self assessment and attestation of compliance. If OP states they’ve met their burden, that’s all that’s required at their scale.
link
snazz 2571 days ago
Really? I evidently know nothing of the matter, but you're saying that the auditors only get involved when they become a larger operation?
link
toomuchtodo 2571 days ago
Yep. Card networks can also unilaterally decide your level.

https://www.pcicomplianceguide.org/faq/#4

Disclaimer: I work in governance/risk/compliance, but have not performed PCI compliance work in the last several years.

link
gowld 2571 days ago
PCI DSS assessments are signed by natural persons, not arbitrary HTML content.
link
toomuchtodo 2571 days ago
Natural persons who are rarely, if ever, pursued when breaches occur.
link
craftyguy 2571 days ago
Anyone can make a FAQ on the web. Not everyone can prove compliance with PCI DSS.
link
chipperyman573 2571 days ago
The same could be said about any other online merchant...
link
igetspam 2571 days ago
It could but they should be able to provide an Attestation of Compliance. If they can't, then you can trust that they're PCI compliant.
link