r/pcicompliance

Reporting potential CSAM Merchant – No responses?

Hi all,

Found this sub when looking for answers. There is a merchant who I will not disclose the name of who heavily promotes sale of adult content on his site on YouTube and various platforms. The setup even includes an alternative for "Model/AI model" referring to the main customer base.

The site has:
– No Age Gate
– Instant public availability of content
– No CSAM/Consent checks
– No KYC face match for sellers content
– Non functional contact email (bounces) and no functional DMCA.

I naturally used Google Console to see what payment systems they are using to find that they use "NUVEI PAYMENTS LTD". I emailed them multiple times with proof, as did others affected, but alas, no response.

I also emailed VISA/MASTERCARD both BRAM/IP divisions. I emailed Vercel (their hosting provider) and dont know what else to do.

Anyone here dealt with similar problems and got a good solution?

reddit.com
u/Winter-Post-7744 — 3 days ago

Is PCI-DSS A-EP/D certification realistic for a small startup?

Hi, we are the start-up based in South Korea.

We recently collaborated with Korean payment processing companies to develop a hosted payment processing product for users of no-code builders (such as Bubble, Webflow, and Framer).

However, the systems of existing payment processing companies are outdated, and while they require customers to install "security software", these programs actually offer lower security. Therefore, we developed our own UI and system capable of securely processing card information. Although we developed this system entirely in-house, it integrates with the payment processing companies' backend systems.

Since we developed and operate the system ourselves, the scope is not very large, but we anticipate needing PCI-DSS A-EP or D certification. Given that we are a very small startup with limited available funds, is it unreasonable to expect to obtain PCI-DSS certification?

reddit.com
u/No_Shelter_9614 — 6 days ago

What's the most effective way you've reduced PCI scope?

Looking for practical examples that had the biggest impact on reducing audit burden and compliance complexity.

reddit.com
u/SeveralBill2240 — 11 days ago

Secure Browser vs VDI

I work for a start up. We’re looking to become SAQ C-VT compliant. We have agents that take credit card numbers and input them into carrier portals, this is all done in the browser.

My question is, would a secure browser actually make us compliant?

The secure browser will prevent copy/paste, sensitive information masking, enforce conditional access, 2FA, and introduce water marks over sensitive data.

These users work from home, on their own ISP, on a workgroup windows device, using a local account.

The alternative is a VDI. I’ve used Omnissa in the past and had an awful experience with it and the MSP providing the desktops, plus I’d like to avoid spinning up a ton of infrastructure if possible. Curious if anyone is in the same boat utilizing a secure browser or might have some insight into what auditor might say about it.

reddit.com
u/SuccessfulBase9358 — 12 days ago

best way to design tokenization across multiple PSPs without expanding PCI scope?

trying to figure out tokenization strategy for a multi-region setup where each region is on a different PSP and we want customer cards to feel portable without dragging us out of SAQ-A.

we're on Stripe for US, Adyen for EU, and Worldpay for UK. each PSP gives us their own token vaulting, but customers expect to move between regions without re-entering card details, and our merchant agreements with our acquirers limit how creatively we can pass tokens around.

network tokenization through Visa/mastercard looks cleanest but coverage across PSPs is uneven and it's more work than the vendors say.

saved a thread on this sub a while back where some folks recommended a few options worth checking, i think it was a mix of network tokens, PSP-agnostic vault providers like Basis Theory and Spreedly, and going with a commerce backend that handles the tokenization layer natively (i remember SCAYLE came up because they apparently handle this for multi-PSP fashion brands), but i can't find the thread now.

what's working in practice for brands juggling 3+ PSPs at this point, particularly on whether the commerce-backend approach holds up or if it just shifts the integration burden somewhere else?

reddit.com
u/dettol99perc — 11 days ago