[Owasp-alabama] PCI question

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Mon Aug 9 18:56:37 EDT 2010


Anyone who stores, transmits, or touches PCI data has to be PCI compliant.
In this scenario, it sounds like the application and interconnected systems
would have to be PCI compliant. So you would have to perform the
self-assessment and perform quarterly vuln scans and yearly pentests.  PCI
will also want the application to have a code review or Web application
firewall (WAF) in place.

Depending on the merchant sales volume, more in-depth procedures may be


josh at packetfocus.com
205 390 3421

-----Original Message-----
From: owasp-alabama-bounces at lists.owasp.org
[mailto:owasp-alabama-bounces at lists.owasp.org] On Behalf Of
owasp-alabama at lists.owasp.org
Sent: Monday, August 09, 2010 5:20 PM
To: owasp-alabama at lists.owasp.org
Subject: [Owasp-alabama] PCI question

Hey there

I got hit by a question about integration with payment processors like
authorize.net and PCI compliance, and I need another opinion to (in)validate
my response.
The organization in hand does not want to go through PCI compliance thing,
so they are using authorize.net. They are currently consuming a WS API, to
witch they submit the results of a form that they host themselves. They do
not persist the CC data, they just transmit it through web app code.

My understanding is that even if you are transmitting CC data (capturing
through a form and posting to a service, without persisting), you still are
in scope of PCI.

Am I wrong ? just need some validation from others who deal with this daily.

Owasp-alabama mailing list
Owasp-alabama at lists.owasp.org

More information about the Owasp-alabama mailing list