<div dir="ltr"><div dir="ltr">Except that where subject to an order under 317j to conceal the existence of a TCN/TAN forms part of the terms.</div><div dir="ltr"><br></div><div>In those situations, there can be no "warrant canary". An auditor has no way of knowing if such a direction exists, and someone reading a Report of Compliance has no way of knowing if such a direction exists. Consequently every PCI compliance becomes suspect, and consequently the whole PCI compliance regime is systematically weakened.<br></div><div><br></div><div>Kind regards</div><div><br></div><div>Paul Wilkins<br></div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, 22 Oct 2018 at 13:04, Christian Heinrich <<a href="mailto:christian.heinrich@cmlh.id.au">christian.heinrich@cmlh.id.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Paul,<br>
<br>
On Mon, Oct 22, 2018 at 11:32 AM Paul Wilkins <<a href="mailto:paulwilkins369@gmail.com" target="_blank">paulwilkins369@gmail.com</a>> wrote:<br>
> I suppose auditors can qualify any report that mandated TCNs/TANs are excepted, but are you then "PCI Compliant"?<br>
<br>
Not possible as this would be separate from the Cardholder Data<br>
Environment (CDE) and the encryption of "data in transit" is PCI-DSS<br>
Requirement 4.1.c.<br>
<br>
If the definition of the CDE were to change in the future then a<br>
"warrant canary" would signify this within the "Report on Compliance"<br>
(RoC) or "Self Assessment Questionnaire" (SAQ).<br>
<br>
<br>
-- <br>
Regards,<br>
Christian Heinrich<br>
<br>
<a href="http://cmlh.id.au/contact" rel="noreferrer" target="_blank">http://cmlh.id.au/contact</a><br>
</blockquote></div>