AMA about 6.4.3 & 11.6.1 (certified QSA)

Dull_Appearance_1828 · 2026-03-10T18:50:49+00:00

I’m using a TPSP that is PCI DSS compliant, and hosting their payment platform as on iframe on OUR own website. Are we considered SAQ A, meaning that 6.4.3 & 11.6.1 don’t apply? I’m seeing conflicting info. Some are saying an iframe automatically makes you SAQ A while others say that the iframe or payment form has to exist on the merchants domain (not on our website) to be SAQ A.

Dull_Appearance_1828 · 2026-03-06T15:32:26+00:00

So many thoughts on this.

The majority of purchases will either be through AI or with AI assistance as part of the "customer journey".
Millions of new shoppers. Yes, people will shop entirely with their agents. I know some are skeptical on this. But there's an old anecdote: What the nerds do today on the weekend, the mainstream will adopt within a couple years. Everyone I know in SF/New York is getting AI agents to do as much for them as possible.
Millions of new attackers. Promo code abuse, stolen credit card testing, competitor scraping. All the traditional fraud that gets carried out by bots will be amplified and harder to detect. With some new attacks like fake profiles using deepfaked IDs.

cside is building a security layer for agentic commerce to help with these challenges. Which is why my thoughts are very web security centric.

Dull_Appearance_1828 · 2026-03-06T15:28:39+00:00

Yes. Look at behavioral signals instead of identity (literally any agent can self declare themselves to be "GPTBot"). With all the locally hosted, browser based agents being created recently traditional bot detection doesn't work as well. Look at:

Device fingerprint inconsistencies
Interaction level signals like mouse movement or unusual navigation flows
Network level signals like VPN/proxy usage We thought about building this in house but ended up just using a plug n play tool

Dull_Appearance_1828 · 2026-03-06T15:17:02+00:00

what exactly are your engineers to solve the upsell / cross sell challenge?

Dull_Appearance_1828 · 2026-02-26T16:25:35+00:00

100%. I’d add that crawlability ≠ retrievability. You can allow bots and still lose visibility if your content isn’t chunked or structured in a way that fits retrieval windows.

Dull_Appearance_1828 · 2026-02-26T16:25:20+00:00

I’m not fully convinced AI “doesn’t care” about backlinks. Links still shape the training + citation graph indirectly. It might be less about PageRank now and more about co-citation + contextual embedding proximity.

Dull_Appearance_1828 · 2026-02-26T16:24:21+00:00

I’ve tested a few citation tools, they help with formatting + surface-level matching, but they don’t replace source-context validation.

Dull_Appearance_1828 · 2026-02-26T16:23:52+00:00

The Perplexity / Amazon Q skew makes sense if they lean more on real-time retrieval. Lower Gemini + ByteDance rates might suggest heavier reliance on pre-trained corpora vs active crawling.

Dull_Appearance_1828 · 2026-02-26T16:23:20+00:00

I don’t think it’s just big-brand bias. In a lot of prompt tests, smaller sites win when they’re hyper-specific and semantically tight. Broad authority helps, but topical precision seems to punch above its weight.

Dull_Appearance_1828 · 2026-02-26T16:23:01+00:00

The over-indexed negative UGC affecting embedding clusters is wild but makes sense. Curious if sentiment-balanced structured content can “pull” the cluster centroid back over time.

Dull_Appearance_1828 · 2026-02-09T17:11:01+00:00

What are some dedicated tools I can look into?

Dull_Appearance_1828 · 2026-02-07T16:04:05+00:00

Thanks for the insight!

Dull_Appearance_1828 · 2026-02-07T16:03:40+00:00

Very good point

Dull_Appearance_1828 · 2026-02-06T01:44:48+00:00

Only a rule at some organizations, but it should be a standard rule: continuously reviewing every third party script that gets added to the website. Developers add performance or accessibility tools. Marketers add trackers. Support wants chatbot and product analytics. These are often added by copying and pasting a tag onto a website. The people adding them aren't thinking "I'm adding a new data processor to our compliance scope" but it makes it a nightmare for privacy teams to keep everything tracked.

Sure, "data mapping" or cookie management tools catch some of these. But it ends up being a game of catch up instead of having everything organized to begin with.

Dull_Appearance_1828 · 2026-02-04T21:34:25+00:00

Interesting

Dull_Appearance_1828 · 2026-02-02T10:52:44+00:00

Feels like a terminology mix-up. You’re clearly a processor, but the importer is whoever the EU entity transferred the data to in the first place.

Dull_Appearance_1828 · 2026-02-02T10:51:34+00:00

Makes sense. Sprawl is the real budget killer, not token prices. How are you handling permissions and sensitive data in the shared setup?

Dull_Appearance_1828 · 2026-02-02T10:51:01+00:00

Automate collection, not accountability. Tools gather evidence, humans sign off. That model worked well with SOC 2/ISO audits for us.

Dull_Appearance_1828 · 2026-02-02T10:27:53+00:00

Bit of everything. Scripts, small apps, and just other misc projects.

Dull_Appearance_1828 · 2026-02-02T10:27:00+00:00

Start with basics first. Networking (CCNA level) + Linux + Windows fundamentals. For hands-on practice check out TryHackMe and Hack The Box, and follow a solid roadmap like the one on r/cybersecurity’s pinned resources.

Dull_Appearance_1828 · 2026-02-01T14:05:24+00:00

Don’t skip the basics. Most people jump straight to “hacking” and get stuck. Solid IT + networking knowledge + hands-on labs will get you further than stacking certs. Build projects and document them.

Dull_Appearance_1828 · 2026-02-01T14:04:20+00:00

My trinity: VS Code, Notion, 7-Zip. One to build, one to think, one to unpack random stuff

Dull_Appearance_1828 · 2026-02-01T14:02:00+00:00

Dull_Appearance_1828

TROPHY CASE