[Owasp-alabama] PCI question

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Mon Aug 9 19:26:41 EDT 2010

Does the company develop commercial software?  Or are they writing in-house
software to support their own business processes?

If they are developing a commercial product then they need to comply with
PA-DSS requirements.  Otherwise PCI-DSS is required to address the security
controls for their company environment: servers and workstations.

Defining PCI scope, what's in versus what's out, is the toughest part at
times.  From a software engineering standpoint consuming an external WS API
does not exempt them from either PCI scope.  It's still getting processed
through their code.  Even attempting to delineate functionality within the
runtime environment is not always possible because cardholder data still
gets processed through the hosting web server's environment which *could* be
written to a log file, intercepted on the server, or copied in memory while
passing through.

The merchants I have seen effectively sidestep some of the burden of PCI
regulations are outsourcing the card processing responsibilities completely,
i.e.no storing, processing, or transmitting and any sense.  Usually done by
redirecting the payment (eCommerce) process URL to a third party hosted on a
different server.  Not with Post.


On Mon, Aug 9, 2010 at 5:20 PM, <owasp-alabama at lists.owasp.org> wrote:

> Hey there
> I got hit by a question about integration with payment processors like
> authorize.net and PCI compliance, and I need another opinion to
> (in)validate my response.
> The organization in hand does not want to go through PCI compliance
> thing, so they are using authorize.net. They are currently consuming a
> WS API, to witch they submit the results of a form that they host
> themselves. They do not persist the CC data, they just transmit it
> through web app code.
> My understanding is that even if you are transmitting CC data
> (capturing through a form and posting to a service, without
> persisting), you still are in scope of PCI.
> Am I wrong ? just need some validation from others who deal with this
> daily.
> Thanks
> -S
> _______________________________________________
> Owasp-alabama mailing list
> Owasp-alabama at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-alabama
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-alabama/attachments/20100809/1ae263fd/attachment.html 

More information about the Owasp-alabama mailing list