[Owasp-cincinnati] PCI compliance for protecting PANs and Minnesota Data Breach Laws

Marco M. Morana marco.m.morana at gmail.com
Wed Feb 27 23:28:23 EST 2008


Fellow OWASP Cincinnati members

 

Thanks for your enthusiastic participation to the last meeting. There were
only 9 people attending and because of the weather conditions I could not
for more people attending the meeting,  frankly speaking. It has been a long
presentation on my behalf because of all the material I had to cover, again
I apologize for the extra time taken.

 

The presentation will be posted soon on the OWASP site.

 

I just wanted to address further some of the questions being asked during
the presentation regarding:

 

1) PCI compliance for encrypting PAN: PANs (CCN's or Primary Account
Numbers) should be protected with one of the methods as for 3.4. (*)
(digest, truncation, strong encryption, tokens and pads)  unless all
compensating control as for appendix B are in place (segmentation, access
control to credit card data via device IP, application, user accounts,
packet filtering) , restricted logical access to DB and SQL injection
mitigation..

(*)  <https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf>
https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

 

2) State of Minnesota law that prevent to store credit card magnetic strip
information, CVV2 and PINs. Indeed the state of Minnesota has a data breach
law that prohibit entities conducting business in Minnesota from retaining
credit or debit card security code data, PIN verification codes, or the full
contents of any track of magnetic stripe data for more than 48 hours after
the authorization of a transaction. The credit and debit card data retention
provisions become effective on August 1, 2007. Minnesota also holds
merchants strictly liable for costs incurred by financial institutions who
assist consumers following the discovery of a security breach. The retailer
liability provisions become effective on August 1, 2008
<http://www.dlapiper.com/files/upload/E-Commerce_and_Privacy_Jun07.html>
http://www.dlapiper.com/files/upload/E-Commerce_and_Privacy_Jun07.html

There has also been interest on dedicating a specific session on the CSRF
vulnerability (5h in the OWASP T10) . Maybe we can dedicate a session to
CSRF and CSRF tools in April. In the mean time, please refer to CSRF testing
web page here: http://www.owasp.org/index.php/Testing_for_CSRF  and the tool
http://www.owasp.org/index.php/CSRF_Guard

The next session will cover use of source code analysis tools and use of
penetration testing to find common vulnerabilities in web applications.

Again thanks for your participation

Marco

OWASP Cincinnati Chapter Leader

 <http://www.owasp.org/index.php/Cincinnati>
http://www.owasp.org/index.php/Cincinnati

 <http://securesoftware.blogspot.com> http://securesoftware.blogspot.com

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-cincinnati/attachments/20080227/121bc4f6/attachment.html 


More information about the Owasp-cincinnati mailing list