[Owasp-alabama] PCI question

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Tue Aug 10 11:25:34 EDT 2010


Thanks a lot for the educated replies !

Cheers !
-S



On Mon, Aug 9, 2010 at 6:26 PM,  <owasp-alabama at lists.owasp.org> wrote:
> Does the company develop commercial software?  Or are they writing in-house
> software to support their own business processes?
> If they are developing a commercial product then they need to comply with
> PA-DSS requirements.  Otherwise PCI-DSS is required to address the security
> controls for their company environment: servers and workstations.
> Defining PCI scope, what's in versus what's out, is the toughest part at
> times.  From a software engineering standpoint consuming an external WS API
> does not exempt them from either PCI scope.  It's still getting processed
> through their code.  Even attempting to delineate functionality within the
> runtime environment is not always possible because cardholder data still
> gets processed through the hosting web server's environment which *could* be
> written to a log file, intercepted on the server, or copied in memory while
> passing through.
> The merchants I have seen effectively sidestep some of the burden of PCI
> regulations are outsourcing the card processing responsibilities completely,
> i.e.no storing, processing, or transmitting and any sense.  Usually done by
> redirecting the payment (eCommerce) process URL to a third party hosted on a
> different server.  Not with Post.
> Michael
>
>
> On Mon, Aug 9, 2010 at 5:20 PM, <owasp-alabama at lists.owasp.org> wrote:
>>
>> Hey there
>>
>> I got hit by a question about integration with payment processors like
>> authorize.net and PCI compliance, and I need another opinion to
>> (in)validate my response.
>> The organization in hand does not want to go through PCI compliance
>> thing, so they are using authorize.net. They are currently consuming a
>> WS API, to witch they submit the results of a form that they host
>> themselves. They do not persist the CC data, they just transmit it
>> through web app code.
>>
>> My understanding is that even if you are transmitting CC data
>> (capturing through a form and posting to a service, without
>> persisting), you still are in scope of PCI.
>>
>> Am I wrong ? just need some validation from others who deal with this
>> daily.
>>
>> Thanks
>> -S
>> _______________________________________________
>> Owasp-alabama mailing list
>> Owasp-alabama at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-alabama
>
>
> _______________________________________________
> Owasp-alabama mailing list
> Owasp-alabama at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-alabama
>
>


More information about the Owasp-alabama mailing list