I am about to inherit and work on a small business retail website that is very poorly designed. Among other things, the greatest concern is with the current credit card processing. Currently, the owner retrieves credit card information (name, number, CVV2 and expiration date) from an online order form and saves all of that information i...
If i have a web application and i receive credit card data transmitted via a POST request by a web browser over HTTPS and instantly open a socket (SSL) to a remote PCI compilant card processor to forward the data and wait for a response, am i allowed to do that? or is this receiving the data with my application and forwarding it already ...
Hi Everyone, I'm developing a solution that is designed to store membership details, as well as credit card details. I'm trying to comply with PCI DSS as much as I can. Here is my design so far: PAN = Primary account number == long number on credit card Server A is a remote server. It stores all membership details (Names, Address etc...
Hello, I have been reviewing a number of applications for securing deleting files. I understand the concepts of overwriting the file several times with zeros and random characters; however, I don't understand the concept of renaming the file up to thirty times before actually deleting the file. Any feedback would greatly be appreciated....
Hello there. I am attempting to obtain PCI compliance for my site but the Mcafee security scan has thrown a: Potential Sensitive Persistent Cookie Sent Over a Non-Encrypted (SSL) Channel Drupal (default behavior) sets a session cookie when you simply arrive at the site. This is causing the problem. Clearly, the entire site shouldn't...
We need to be PCI compliant for some credit card processing we do. How do people do this in other shops? How do you secure your SVN? How do you secure your build server? How does code get migrated from the developers to production? ...
Assuming I decide to use payment gateway and not to use their hosted page, but rather provide my own credit card details form, and then send data to their backend via xml as explained on this page. Then: do I need to worry about PCI compliance? If so what steps (PCI website) should be sorted out by me, my hosting company or payment gat...
I'm considering using eWay as payment gateway. They offer two options. One is to to allow users to type in credit card data on eWay hosted website, the other to use my own form and send credit card data via my server to eWays backend. The second option (their page with details) seem more appropriate for me as user would never leave my si...
My question is on how to preserve data during the redirect when using the PRG Pattern on my forms. Specifically, I'm wanting to use this in an ecommerce application. I have three options of storing the data over the redirect, and I have concerns with each. I'm hoping you guys may be able to help me work through this issue: 1.) Store...
When using Jasypt's StandardPBEStringEncryptor we have to set password explicitly in spring bean configuration file. Is it ok and secure to have the password in the bean configuration file? Will it be a problem in PCI Compliance to store the encryptor password? ...
I have tried calling PayPal themselves, and the rep on the phone didn't even know Payflow Link could work this way, so I don't trust his advice. All my searching has encountered mixed answers. I am building an ecommerce site using Payflow Link, where the CC processing is handled on Paypal hosted pages. However, I am consider implementin...
For PCI compliance, is there any recommended Encryption Key Management Software? Open source preferable, but commercial is ok too. Is there a tool or software that provides both? ...
Hi, If I were to use separate Windows Server that was PCI-DSS compliant, would I still be compliant if I had a SQL Azure hosting the backend? This is assuming that I'm compliant at the application layer, and that I'm only storing permitted values (like no CVV), etc. Thanks, Jack ...
I have been reading a few articles which describe using a Datavault and tokenisation to reduce PCI DSS burden. My question is, are there any companies that offer to store data like credit card information securely in exchange for a token and do they offer the ability to then view the data by authenticating yourselves and providing a a ...