InfoSec Insider Podcast - s2 e41 - PCI DSS and Service Providers

In this episode of InfoSec Insider, Alastair Stewart and Tibor Laczko, both Senior Consultants and Qualified Security Assessors (QSAs) with URM, explore some of the most misunderstood areas of PCI DSS scoping, focusing on service providers, merchants, and complex modern payment architectures. Alastair and Tibor leverage nearly 30 years’ combined experience with the PCI DSS to discuss: • When an organisation stops being “just a merchant” and becomes a PCI DSS service provider, and what really drives that distinction • How an organisation can be both a merchant and a service provider at the same time, and how this should be handled during a PCI DSS assessment • The most common mistakes organisations make when deciding how they should be classified for PCI DSS purposes • Whether companies providing payment-enabled platforms, but not directly handling PAN, can still fall under the definition of a service provider • The responsibilities that remain when a third-party platform hosts the payment page but payment fields are served directly by a provider • And more. Ask Alastair and Tibor a question:  https://www.urmconsulting.com/podcast... If you enjoyed this episode of InfoSec Insider, you can leave us a rating and review here:  https://ratethispodcast.com/infosecin...       You can find more episodes of InfoSec Insider here:  https://urmconsulting.com/podcasts?ut...         Brought to you by URM, the UK’s leading information and cyber security specialists.