Spreedly Core isn't for handling specific requirements per se, but changing the entire scope of compliance. Basically, if you're only only doing card-not-present transactions and you never store, process or transmit cardholder data, you qualify for SAQ A. The full eligibility requirements for SAQ A consists of the following:
* Your company handles only card-not-present (e-commerce or mail/telephone-order) transactions;
* Your company does not store, process, or transmit any cardholder data on your systems or premises, but relies entirely on third party service provider(s) to handle all these functions;
* Your company has confirmed that the third party(s) handling storage, processing, and/or transmission of cardholder data is PCI DSS compliant;
* Your company retains only paper reports or receipts with cardholder data, and these documents are not received electronically; and
* Your company does not store any cardholder data in electronic format.
Laziness is one of the three great virtues of a programmer according to Larry Wall. "Laziness" was used in the context of all three virtues: http://c2.com/cgi/wiki?LazinessImpatienceHubris
I don't think anyone has had a more pragmatic solution than Jack LaLanne: "If man made it, don't eat it." You can't out-exercise a shitty diet of processed, convenient "food."
The notion that you can kill a person with diabetes by hacking their insulin pump is absurdly ridiculous. I can't think of an insulin pump that does not have a setting to limit the maximum bolus. In addition, the setting typically has a sane value and is enabled by default. Further, when a pump is setup with a doctor/nurse practitioner, this value is set to number that is tuned to the person with diabetes. There is also feedback when the pump is delivering insulin. I know this is the case with Animas and Medtronic pumps.
So even if someone got in range, had your serial number, knew the protocol and attempted an insane dosage, the worst that would happen is someone didn't notice the delivery feedback and hit the max bolus. While this would be worst case breach, it is not lethal. Within an hour, the victim will feel hypoglycemic, check their blood glucose and correct it.
Cheap/expensive is relative. More importantly, insulin is only a tiny cost of the care of Type 1 diabetes. Diabetics need to check blood sugar levels anywhere from 3-5 times a day, sometimes more if ill or for other circumstances. Test strips can cost a patient as much as $1 per strip.
Also, insulin requires a subcutaneous injection for delivery. That means a new syringe 3-4 times per day depending on the therapy. Or, you could get an insulin pump at about $5k and pay for insets, tubing, reservoirs and other miscellaneous supplies. Those need to be swapped out every three days.
Want to add continuous glucose monitoring to your therapy? Even more supplies. Add it all up and treating T1 diabetes is nothing close to cheap no matter how deep your pockets are.
Spreedly has fulfilled all the requirements of SAQ D. The compliance status is not just the result of vulnerability scanning. https://spreedly.com/info/faq/
