pci-dss

Payment Processors - What do I need to know if I want to accept credit cards on my website?

This question talks about different payment processors and what they cost, but I'm looking for the answer to what do I need to do if I want to accept credit card payments? Assume I need to store credit card numbers for customers, so that the obvious solution of relying on the credit card processor to do the heavy lifting is not availabl...

Is there any way instead of a JS hack where I can post from an iframe to another page outside the iframe?

Is there any way instead of a JS hack where I can post from an iframe to another page outside the iframe? the iframe is posting data to a 3rd party and then just responding back with a URL which is the redirection URl thus we cannot set the form target. We are PCI compliant and thus we cannot use window.parent.location = url; ...

How can I display my SSN id in the ASP web page with PCI standards

In my ASP web page I am displaying SSN number " name ="txtSSNID" size ="20"> The Fortify Developer tool detects this as error. How can I fix this issue. I need to display the SSN Number but the thing is it should not caught while testing in Fortify developer tool for security violations ...

How can I check for SSL vulnerabilities on my web server?

Is there an easy way or online tool for checking a site's SSL vulnerability issues? From the PCI standards I see that a site has to force SSLv3 or TLSv1 protocols and high security encryption algorithms. And I need to check if my site is compliant with those PCI DSS standards. ...

Old data stored in database file

How can I ensure that all data that I've erase from the db tables, is no longer stored in the mdb files (and others) on the hard disk? Here's my situation: My client used to store non-encrypted credit card data, in their database (SQL Server). Thanks to PCI requirements, they now encrypt all that data... However, the mdb file still has ...

How much time does a developer spend reviewing logs?

PCI/DSS has a requirement indicating that an application's log should be reviewed AT LEAST daily for security events. Most network/infrastructure professionals can review network device logs but won't be familiar with actual applications. The same can be said for most security professionals. So, are developers really stepping up to this...

PCI/DSS: Data at Rest

Would you consider the use of caching products in the category of data at rest? ...

Credit Card - Card on file services?

Does anyone have any experience with card on file services for credit cards, that handle the storage of credit card information for ongoing purchases? We are looking for a solution that can be integrated with a custom ASP.NET app via a web service or similar but removes the storage of the info from our side of the equation in order to r...

Taking credit card information online without processing -- how best to do so?

I have had a number of requests from clients wanting to take a customer's credit card number online and then process the payment in store at a POS of terminal. I'm wondering what the best method of doing this is. I don't want to store the credit card number on the server in plain text and I don't want to send an email with the number in...

Checking patch integrity

Hello all, I am working on j2ee web application and we have the following requirement: it should be impossible to install application patch with arbitrary classes. Right now patches are done by manually adding jars with fixes or even individual classes to server classpath or to application EAR. We also cannot use signed jars since it is ...

How to properly do private key management

Has anyone got practical experience or a reference for a scheme that implements a key management scheme that would comply with the PCI DSS security standard? There are obviously quite a few implementations around given the number of companies compliant with PCI DSS but trying to find details of them is tough. When it gets down to stori...

Preventing executables with invalid Authenticode signatures from running

We publish an update patch to our software package in a single executable file. The file is signed with an Authenticode digital signature, using the certificate issued to us. The file is downloaded to Windows XP or Vista systems that our customers operate, where they run it in order to update our software. Our PCI compliance auditor h...

PABP 1.4 versus PA-DSS - Do we need to upgrade?

Our applications are certified and on the list of certified PABP compliant applications. We were certified with the latest PABP 1.4. Now, PA-DSS is the new kid on the block. Is it an automatic upgrade to PA-DSS from PABP 1.4 or do we have to be re-audited? ...

storing credit card info

So I would like to modify a PHP / MySQL application in order to store credit card but not cvv and bank account info securely. PCI DSS require 1024 RSA/DSA. A small number of users will be given private key in order to decrypt the batch file of account info for submission to payment processors monthly. I'm unclear if it is possible to hav...

Minimizing PCI compliance when my checkout flow has a confirmation page

I have a shopping cart flow like this: Page 1. Choose Products Page 2. Enter address, shipping, credit card details on a single page checkout. Page 3. User confirms the order - but we want a final opportunity to upsell, so we must be able to change the amount charged. If the user abandons this page they should not be charged OR author...

Vulnerability reports from PCI-DSS scan

We have had a PCI scan on one of our websites passed on to us by one of our clients. There are a number of reports of vulnerabilities that look something like this: Network service: 80/443 Application URL: http://www.oursite.com/signup.php The response contains SQL Server errors. This suggests that the hazardous characters i...

PCI Compliance + Magento + PHP version

I'm trying to get PCI Compliance for my dedicated server (Red Hat Enterprise Linux), which is running Magento. When I first installed Magento on the server, I realized that RHEL comes with a PHP version which is too old for Magento (5.1.6). So, I found a separate repo with PHP version 5.2.11, which got everything running fine, but now I'...

E-commerce compliance when card details are processed by a third party

What forms of e-commerce compliance such as PCI-DSS apply when the card details are processed by a third party such as Paypal? Am building a bespoke shopping cart system that uses Paypal Express, so the card details never hit my server. I do however retain customer details so what compliance - both at a code and hardware level - must or...

Software and Security - do you follow specific guidelines?

As part of a PCI-DSS audit we are looking into our improving our coding standards in the area of security, with a view to ensuring that all developers understand the importance of this area. How do you approach this topic within your organisation? As an aside we are writing public-facing web apps in .NET 3.5 that accept payment by cred...

SQL Server 2008 + PCI Compliance? Pertains to PCI, as well as Symmetric keys!

I've never had to deal with PCI compliance before. I've been reading their documentation and it says I need to protect the credit card number, expiration date and the card holder's name. No storage of security codes ever. In their documentation, it just says protect. Is this saying I need to encrypt these 3 columns in my database? I...