|
|
|
|
|
|
by verystealthy
4191 days ago
|
|
|
>This is the issue. Chances are Heroku has a very secure infrastructure, but the world will never know unless it allows various audits to be generated for compliance purposes. Exactly. And, personally, I think this is rather odd. They could solve this in a heartbeat. >Not true, see below: Duly noted and thanks for the link, but here's the thing, though: what if you're not eligible for a self-assessment? |
|
|
If you're doing higher transaction volume and are not eligible for a self-assessment, you have to have a certified QSA sign off on an audit of the internal processes.
The QSA will make sure that all the required systems and processes are in place and sign off on it.
PCI is definitely a fairly frustrating thing to deal with but there are some good practices underlying it that many orgs would simply not do if it weren't required by their merchant processor.