Hacker News new | ask | show | jobs
by toomuchtodo 2571 days ago
Sort of humorous comment, as PCI DSS is self assessment and attestation of compliance. If OP states they’ve met their burden, that’s all that’s required at their scale.
2 comments
snazz 2571 days ago
Really? I evidently know nothing of the matter, but you're saying that the auditors only get involved when they become a larger operation?
link
toomuchtodo 2571 days ago
Yep. Card networks can also unilaterally decide your level.

https://www.pcicomplianceguide.org/faq/#4

Disclaimer: I work in governance/risk/compliance, but have not performed PCI compliance work in the last several years.

link
gowld 2571 days ago
PCI DSS assessments are signed by natural persons, not arbitrary HTML content.
link
toomuchtodo 2571 days ago
Natural persons who are rarely, if ever, pursued when breaches occur.
link