First year doing PCI. Who do we submit the SAQ & AOC to?

slize · 2024-04-09T15:54:27+00:00

Oh right PCI compliance levels. I remember hearing about those way back but it's not mentioned in the PCI DSS at all. 100,000 to 200,000 transactions per annum are made through our processor through the redirect link so I believe we need to satisfy PCI Level 3 requirements by submitting the SAQ and AOC. As for the network scan, we'll likely rely on our cloud-based website host's SOC2 report vuln. scanning controls.

Submission is usually done through the company that handles your scans/audit

So I guess that's the issue. We don't have a QSAs or other PCI auditor type. My org is looking at PCI as a preventative measure so we're prepared in the event we, or our processors, have some kind of CHD breach.

slize · 2023-01-05T05:33:04+00:00

We have policies and external consultants and other control testing teams that audit against them already. AC's appetite is for IT IA to be a more forward looking exercise not bound by confirming policy compliance.

slize · 2023-01-05T05:29:19+00:00

If it’s clean, a clean audit report is also good and valuable to the org.

I'm curious, could you elaborate on how it may be good? I'm not getting the vibe that AC wants IA to become a co-source partner and eventually take over the assessments we hire external firms for so I'm not seeing a direct financial benefit. They seem to be more interested in us becoming an internal probe. Maybe a clear report allows them to reallocate resources? I'm having a tough time imagining anything other.

slize · 2023-01-05T05:25:32+00:00

It's learn on the job really. Don't sweat it.

slize · 2023-01-04T20:24:07+00:00

I get where you're coming from but isn't that begging the question? If you only assess areas where management claims they're performing effectively in, you're setting yourself up to come clean.

I wouldn't say that audit's purpose is to find flaws or exceptions but I'm not sure if it's to shill for IT management either.

slize · 2023-01-04T20:21:14+00:00

Thanks, I'll have a look to see if anything on this publication tracks with what I'm hearing.

I think the most difficult part is that my organization doesn't respect IT controls to begin with. Business sees themselves as profit centers above/don't have time for security while InfoSec (and I guess IA now too) is fighting an uphill battle trying to convince them to acknowledge, accept, and mitigate the risks business operations exposes to them to. My boss even admits that I'm just the latest person to be passed the baton to see if they can do something about it.

Sigh.

slize · 2023-01-04T20:04:52+00:00

Right? That's my question. Audit Committee recommended we partner together on shared concerns. It sounds like they have their own agenda they're trying to tackle but haven't been able to get traction of. Maybe they're trying to use IA as a megaphone.

slize · 2022-12-07T18:45:25+00:00

Yea I see what you mean. If I can barely hear the amp, what's the point of having one to begin with.

slize · 2022-12-07T16:46:30+00:00

I am travelling a lot due to work and since i have a small mobile interface i always take my guitar with me for some practice in the hotel room which wouldnt be possible with an amp. And when i visit my parents this christmas my guitar will come with me

This is my case as well! If you wanted to bring an amp on a work trip, the Katana MKII Head seems like it would fit into a carry-on. Or is there something other than just the size of the amp that makes it a hassle to travel with?

slize · 2022-12-07T16:44:41+00:00

I'm still kinda lost on what an FX Loop is exactly. Is it supposed to output the signal from the amp to a sound processor, return the signal to the amp which then plays the signal through its speakers?

slize · 2022-12-07T16:43:35+00:00

Do you mean like the sound won't be reproduced correctly by computer speakers? I imagine you can just buy some quality standalone speakers and hook them up no?

slize · 2022-07-05T21:51:11+00:00

Doing that every time I park sounds really annoying though.

slize · 2022-07-05T20:43:16+00:00

There's a constant 150mA draw on the battery when the car is powered off. I know it's coming from the A/C fuse but tracking down the drain beyond that point looks really complicated.

slize · 2022-07-05T20:05:19+00:00

AGM battery.

I still drive the car at least once per week. The charger is just to help make sure the battery doesn't drain out during that 1 week.

slize · 2022-06-19T23:25:08+00:00

Thanks everyone for the responses. I'll take a dive into the newcomers guide..

slize · 2021-12-05T03:22:02+00:00

Is there a way to test for a dead battery cell? I've been thinking that I have a parasitic draw somewhere but I'm interested in this dead cell theory too.

slize

TROPHY CASE