This question talks about different payment processors and what they cost, but I'm looking for the answer to what do I need to do if I want to accept credit card payments? Assume I need to store credit card numbers for customers, so that the obvious solution of relying on the credit card processor to do the heavy lifting is not availabl...
Is there any way instead of a JS hack where I can post from an iframe to another page outside the iframe? the iframe is posting data to a 3rd party and then just responding back with a URL which is the redirection URl thus we cannot set the form target. We are PCI compliant and thus we cannot use window.parent.location = url; ...
In my ASP web page I am displaying SSN number " name ="txtSSNID" size ="20"> The Fortify Developer tool detects this as error. How can I fix this issue. I need to display the SSN Number but the thing is it should not caught while testing in Fortify developer tool for security violations ...
Is there an easy way or online tool for checking a site's SSL vulnerability issues? From the PCI standards I see that a site has to force SSLv3 or TLSv1 protocols and high security encryption algorithms. And I need to check if my site is compliant with those PCI DSS standards. ...
How can I ensure that all data that I've erase from the db tables, is no longer stored in the mdb files (and others) on the hard disk? Here's my situation: My client used to store non-encrypted credit card data, in their database (SQL Server). Thanks to PCI requirements, they now encrypt all that data... However, the mdb file still has ...
PCI/DSS has a requirement indicating that an application's log should be reviewed AT LEAST daily for security events. Most network/infrastructure professionals can review network device logs but won't be familiar with actual applications. The same can be said for most security professionals. So, are developers really stepping up to this...
Would you consider the use of caching products in the category of data at rest? ...
Does anyone have any experience with card on file services for credit cards, that handle the storage of credit card information for ongoing purchases? We are looking for a solution that can be integrated with a custom ASP.NET app via a web service or similar but removes the storage of the info from our side of the equation in order to r...
I have had a number of requests from clients wanting to take a customer's credit card number online and then process the payment in store at a POS of terminal. I'm wondering what the best method of doing this is. I don't want to store the credit card number on the server in plain text and I don't want to send an email with the number in...
Hello all, I am working on j2ee web application and we have the following requirement: it should be impossible to install application patch with arbitrary classes. Right now patches are done by manually adding jars with fixes or even individual classes to server classpath or to application EAR. We also cannot use signed jars since it is ...
Has anyone got practical experience or a reference for a scheme that implements a key management scheme that would comply with the PCI DSS security standard? There are obviously quite a few implementations around given the number of companies compliant with PCI DSS but trying to find details of them is tough. When it gets down to stori...
We publish an update patch to our software package in a single executable file. The file is signed with an Authenticode digital signature, using the certificate issued to us. The file is downloaded to Windows XP or Vista systems that our customers operate, where they run it in order to update our software. Our PCI compliance auditor h...
Our applications are certified and on the list of certified PABP compliant applications. We were certified with the latest PABP 1.4. Now, PA-DSS is the new kid on the block. Is it an automatic upgrade to PA-DSS from PABP 1.4 or do we have to be re-audited? ...
So I would like to modify a PHP / MySQL application in order to store credit card but not cvv and bank account info securely. PCI DSS require 1024 RSA/DSA. A small number of users will be given private key in order to decrypt the batch file of account info for submission to payment processors monthly. I'm unclear if it is possible to hav...
I have a shopping cart flow like this: Page 1. Choose Products Page 2. Enter address, shipping, credit card details on a single page checkout. Page 3. User confirms the order - but we want a final opportunity to upsell, so we must be able to change the amount charged. If the user abandons this page they should not be charged OR author...
We have had a PCI scan on one of our websites passed on to us by one of our clients. There are a number of reports of vulnerabilities that look something like this: Network service: 80/443 Application URL: http://www.oursite.com/signup.php The response contains SQL Server errors. This suggests that the hazardous characters i...
I'm trying to get PCI Compliance for my dedicated server (Red Hat Enterprise Linux), which is running Magento. When I first installed Magento on the server, I realized that RHEL comes with a PHP version which is too old for Magento (5.1.6). So, I found a separate repo with PHP version 5.2.11, which got everything running fine, but now I'...
What forms of e-commerce compliance such as PCI-DSS apply when the card details are processed by a third party such as Paypal? Am building a bespoke shopping cart system that uses Paypal Express, so the card details never hit my server. I do however retain customer details so what compliance - both at a code and hardware level - must or...
As part of a PCI-DSS audit we are looking into our improving our coding standards in the area of security, with a view to ensuring that all developers understand the importance of this area. How do you approach this topic within your organisation? As an aside we are writing public-facing web apps in .NET 3.5 that accept payment by cred...
I've never had to deal with PCI compliance before. I've been reading their documentation and it says I need to protect the credit card number, expiration date and the card holder's name. No storage of security codes ever. In their documentation, it just says protect. Is this saying I need to encrypt these 3 columns in my database? I...