[Owasp-portland] Owasp-portland Digest, Vol 20, Issue 5

Adam Gaydosh adam.gaydosh at anitian.com
Wed Apr 25 19:34:09 UTC 2012

The PCI SSC has not finished developing the standards for assessing the "category 3" devices for PA-DSS certification (that is, validated payment application - this means it has been validated to support a PCI DSS compliant payment environment, not necessarily that using a PA-DSS validated application automatically makes you a PCI DSS compliant merchant).  Category 3 are the general purpose / consumer grade mobile apps.  Without having the formalized guidance form the council on the controls required for these apps from a PA-DSS perspective, assessing them as part of a PCI DSS assessment is problematic for a QSA - they have to use their judgment as to whether or not the app reasonable meets the intent of the broader PA-DSS requirements, without knowing what specific requirements for those type of apps will be forth-coming.  Some more guidance from the council here:


Principal Security Consultant
Anitian Enterprise Security

-----Original Message-----
From: owasp-portland-bounces at lists.owasp.org [mailto:owasp-portland-bounces at lists.owasp.org] On Behalf Of owasp-portland-request at lists.owasp.org
Sent: Wednesday, March 14, 2012 5:00 AM
To: owasp-portland at lists.owasp.org
Subject: Owasp-portland Digest, Vol 20, Issue 5

Send Owasp-portland mailing list submissions to
	owasp-portland at lists.owasp.org

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
	owasp-portland-request at lists.owasp.org

You can reach the person managing the list at
	owasp-portland-owner at lists.owasp.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of Owasp-portland digest..."

Today's Topics:

   1. PCI And Mobile Credit Card Terminals (Matthew Lapworth)


Message: 1
Date: Tue, 13 Mar 2012 15:36:37 -0700
From: Matthew Lapworth <matthewl at bit-shift.net>
To: owasp-portland at lists.owasp.org
Subject: [Owasp-portland] PCI And Mobile Credit Card Terminals
	<CABU9uZi9EFu_TYLumthhny0unfrzABG=53oqvuF73cKHeFLGwg at mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

At the last chapter meeting the question was raised about how mobile CC devices like Square would fit into PCI. I asked the PCI expert at Nike and this was his reply. Please excuse the grammar and spelling, it was sent from his iPad.

The real answer is no one knows yet. The PCI SSC has been really vague on this. If they accept end to end encryption where the swipe device, in this case the Square Device, encrypts the data before the iPhone can get at it then the solution in itself could be PCI compliant.  But the real questions come around what happens is the iPhone can see the CC in the clear on the screen. Then IMHO the device would have to follow the rest of the PCI, like device hardening and the hardest; logging.

The PCI SSC has released an updated encryption document but is still very concerned about wireless devices; thank you TJ Max.

So in the end, it is what can you get your QSA to approve.

I would say that if you can should that the swipe device makes it so you can not get at the CC number , track data at all. And that the transport is encrypted, and you have solid controls over you devices. Then you should be able to get the solution easily approved without much additional controls.

On the other hand, if the CC is seen on the device, the work go a whole lot harder.

Matthew Lapworth

We are what we repeatedly do. Excellence then is not an act, but a habit.
  - Aristotle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-portland/attachments/20120313/38bd12f7/attachment-0001.html>


Owasp-portland mailing list
Owasp-portland at lists.owasp.org

End of Owasp-portland Digest, Vol 20, Issue 5

More information about the Owasp-portland mailing list