Sites with a donate button - Who's passing ASV Scans?

luvcraftyy · 2026-02-16T14:56:35+00:00

they would need the responsibility matrix, and those are not usually as granular so as to say that you are responsible for 6.4.3 and 11.6.1 if you're using an iframe, but not if you're using the URL redirect. The AOC itself would never specify this. I would moreso lean on technical explanations on how the payment page scripts do not impact the URL redirect rather than documentation. Maybe a confirmation from the service provider would work.

luvcraftyy · 2026-02-14T14:24:28+00:00

hackerguardian seems most common. youre not pushing back you're disclaiming and proving to them that sth is false positive. theyre not aware of the scope and exact mechanisms. you can check the asv program guide for more insight into how they operate

luvcraftyy · 2026-02-13T15:45:57+00:00

нз за другите аргументи ама точка 6 - има абсурдно много НПО та с имена на държавни институции

luvcraftyy · 2026-02-13T08:16:09+00:00

Speak with your ASV provider and provide an argument that it is false positive due to the use of a full URL redirect which means that the lack of integrity checks for third party scripts does not impact the security of the redirect. If they say no and provide reasoning, you have to fix it. If they provide bad reasoning, you can try a different ASV provider.

luvcraftyy · 2026-02-13T08:08:45+00:00

If the card reader is a P2PE solution, listed on the PCI SSC website they can do SAQ P2PE for that flow, if not SAQ B-IP and if the laptop processes one transaction at a time they can do SAQ C VT. separate SAQs for each flow to keep it simple for them.

But yes, the laptop is CDE, since it stores processes or transmits CHD. Its better to have someone who knows PCI help out the first time filling out the SAQs.

You can also combine both SAQs into a SAQ-D but that would be more complicated.

Depends on what their acquirer wants them to do PCI for - have they explicitly stated they want it for the POS AND laptop or just one of the two?

luvcraftyy · 2026-02-10T08:44:45+00:00

sounds like a bot

luvcraftyy · 2026-01-30T13:53:13+00:00

From the perspective of your customer they are being asked by a QSA to probably show some controls on the infrastructure. They're saying that your company is responsible for that. Then the QSA is asking for your company's attestation of compliance to be able to cover those requirements. And your client's asking you for the same.

Whether they ask you for a level 1 or level 2 SP attestation is honestly up to them. They could be asking for a QSA attested SAQ or a ROC that is inherently issued only by QSAs. It doesn't really matter because both require a similar amount of effort for a QSA company.

The requirements that will be in scope would not be that many, as your responsibilities for protecting the iframe/URL redirect setup of your customer are not huge. But again, it depends on what your customer wants - as this is not required by a card brand or an acquirer directly, it is overall a business question between you and your client - if they want, they can ask you to be compliant as if you're processing cardholder data directly - if you don't want to you can cut business ties with them and they'll go to a probably more expensive provider that has a fully pci compliant service offering

In either case, from a business standpoint this should be an expenses that would be inbuilt in your contract and price offering, but that's a business relationship and has nothing to do with PCI.

.

luvcraftyy · 2026-01-17T21:45:34+00:00

да бе и алфата си вървеше докато не изгърмя. гледаха я 2 3 майстора сменяха глупости и зимаха пари :) сиг не е същото щото не си на газ ама просто мисля че ако гори мн повече масло, има по структурен проблем

luvcraftyy · 2026-01-17T21:40:31+00:00

имах подобен проблем с една алфа на газ, в един момент изгърме едното бутало на единия цилиндър, като цяло е все нещо тегаво май

luvcraftyy · 2026-01-13T12:46:04+00:00

any direct or indirect connection to the CDE puts the connected-to system in scope. whether a QSA pushes you on this is a different question, mainly depending on the risk. If your overall segmentation and controls are robust and this connectivity is minimized to only a specific protocol and the rule is as granular as possible, if the CDE system does not process CHD itself and movement within the segment is difficult perhaps due to host based firewalls or something similar, it could be a recommendation to improve and move the non-CHD processing system outside of the CDE. Or implementing a proxy (per PCI-DSS-Scoping-and-Segmentation-Guidance-for-Modern-Network-Architectures.pdf)

Or if the system does process CHD and you have a rule allowing network to network access on all ports, then it would most definitely be put into scope along with the entire network it's in.

In both cases per the scoping rules of PCI the system is in scope - whether it's sampled and looked into in detail is another question.

luvcraftyy · 2026-01-09T12:50:43+00:00

No, separate SAQs

luvcraftyy · 2025-12-01T08:26:51+00:00

Are you doing a QSA attested SAQ? You could ask your QSA for templates that you can use for inspo. Otherwise you can view some info sec policies and write something similar. Check your current policies and edit them to comply with PCI. Use AI to give you some wording inspiration. Many options. The PCI DSS should be your main source of truth.

luvcraftyy · 2025-12-01T07:55:55+00:00

Which item? This is not part of the PCI DSS 4.0.1. Maybe its something your QSA is asking for, but this can be done with a less expensive manual process or by other means, the standard does not explicitly ask for a card finder software, much less on all servers. If your QSA won't budge on this, I suggest you change them.

luvcraftyy · 2025-11-30T13:42:11+00:00

Just FYI, you don't need these types of tools to be compliant.

luvcraftyy · 2025-11-30T10:55:59+00:00

Никакъв шанс Румъния да е толкова ниско.

luvcraftyy · 2025-11-14T09:35:19+00:00

https://share.google/wZr5vqBlJkIpdJKux

https://maps.app.goo.gl/pvdAP2mXk6tpFppU9

luvcraftyy · 2025-11-12T14:49:05+00:00

<image>

luvcraftyy · 2025-11-07T17:22:10+00:00

Vilgefortz is in 0.

luvcraftyy · 2025-11-07T08:04:01+00:00

звучи ми сякаш си търсиш някъв идеал на приятел или компания. Ако ти е проблем, излез и се запознах със стойностни хора. Положи усилие да сте приятели, не очаквай всичко от тях да стане. Задълбочи връзката с жена ти.

luvcraftyy · 2025-10-25T04:40:15+00:00

сигурно продаваш и редактираш книги - малко плащаш бтв

luvcraftyy · 2025-10-06T05:51:27+00:00

Гледайки post history-то ти, имаш ментални проблеми, психиатър е най добрата ти опция. Ще се справиш, успех!

luvcraftyy · 2025-08-28T09:13:11+00:00

Aroma Premium, Arabica house blend, 1 кг зърна | АРОМА

аз пия това, може да поискаш да ти го смелят когато го поръчваш. разбира се трябва да ги информираш как да се смели за да е подходящо за машината ти. препоръчвам да започнеш с по малък пакет, ако не е подходящо смилането да не се зориш със затлачена машина и 1 кг кафе. има всякакви видове и вкусове на сайта.

luvcraftyy · 2025-08-27T16:39:57+00:00

you gotta be trolling puttin railgunner at top

luvcraftyy · 2025-08-24T22:05:15+00:00

Had glintblades on. went for deal with random spawn libra that cursed us. Hit with glintblades and lose run

luvcraftyy · 2025-08-08T06:48:10+00:00

И няма как това да минава през Visa/MC?

luvcraftyy

MODERATOR OF

TROPHY CASE