[Owasp-alabama] PCI question

owasp-alabama at lists.owasp.org owasp-alabama at lists.owasp.org
Tue Aug 10 12:23:03 EDT 2010


One more thing some may miss if they are just taking ownership of "PCI
Compliance" is the glossary of terms.
https://www.pcisecuritystandards.org/pdfs/pci_dss_glossary.pdf 

Check it out, it helps (somewhat) to clarify some of the terms used in the
PCI DSS.

Eric

-----Original Message-----
From: owasp-alabama-bounces at lists.owasp.org
[mailto:owasp-alabama-bounces at lists.owasp.org] On Behalf Of
owasp-alabama at lists.owasp.org
Sent: Tuesday, August 10, 2010 10:26 AM
To: owasp-alabama at lists.owasp.org
Subject: Re: [Owasp-alabama] PCI question

Thanks a lot for the educated replies !

Cheers !
-S



On Mon, Aug 9, 2010 at 6:26 PM,  <owasp-alabama at lists.owasp.org> wrote:
> Does the company develop commercial software?  Or are they writing 
> in-house software to support their own business processes?
> If they are developing a commercial product then they need to comply 
> with PA-DSS requirements.  Otherwise PCI-DSS is required to address 
> the security controls for their company environment: servers and
workstations.
> Defining PCI scope, what's in versus what's out, is the toughest part 
> at times.  From a software engineering standpoint consuming an 
> external WS API does not exempt them from either PCI scope.  It's 
> still getting processed through their code.  Even attempting to 
> delineate functionality within the runtime environment is not always 
> possible because cardholder data still gets processed through the 
> hosting web server's environment which *could* be written to a log 
> file, intercepted on the server, or copied in memory while passing through.
> The merchants I have seen effectively sidestep some of the burden of 
> PCI regulations are outsourcing the card processing responsibilities 
> completely, i.e.no storing, processing, or transmitting and any sense.  
> Usually done by redirecting the payment (eCommerce) process URL to a 
> third party hosted on a different server.  Not with Post.
> Michael
>
>
> On Mon, Aug 9, 2010 at 5:20 PM, <owasp-alabama at lists.owasp.org> wrote:
>>
>> Hey there
>>
>> I got hit by a question about integration with payment processors 
>> like authorize.net and PCI compliance, and I need another opinion to 
>> (in)validate my response.
>> The organization in hand does not want to go through PCI compliance 
>> thing, so they are using authorize.net. They are currently consuming 
>> a WS API, to witch they submit the results of a form that they host 
>> themselves. They do not persist the CC data, they just transmit it 
>> through web app code.
>>
>> My understanding is that even if you are transmitting CC data 
>> (capturing through a form and posting to a service, without 
>> persisting), you still are in scope of PCI.
>>
>> Am I wrong ? just need some validation from others who deal with this 
>> daily.
>>
>> Thanks
>> -S
>> _______________________________________________
>> Owasp-alabama mailing list
>> Owasp-alabama at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-alabama
>
>
> _______________________________________________
> Owasp-alabama mailing list
> Owasp-alabama at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-alabama
>
>
_______________________________________________
Owasp-alabama mailing list
Owasp-alabama at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-alabama


-----------------------------------------
Confidentiality Notice:
The information contained in this email message is privileged and
confidential information and intended only for the use of the
individual or entity named in the address. If you are not the
intended recipient, you are hereby notified that any dissemination,
distribution, or copying of this information is strictly
prohibited. If you received this information in error, please
notify the sender and delete this information from your computer
and retain no copies of any of this information.


More information about the Owasp-alabama mailing list