[Owasp-vancouver] OWASP Chapter Meeting, July 22nd

Richard Ihmels rihmels at enkon.com
Fri Jul 23 18:44:29 EDT 2010

What I have seen done is encrypted value stored in in an sql field.  The key to decrypt was half in the application and half in the registry.  Every time the key needed to be changed the field needed to be updated.  At the time (about two years ago) that was sufficient to pass the audit but I haven't kept up with PCI since then.

If I remember correctly the issue was having more than one of the three values of CC #, Expiry, or CSC/CVC/CVVC persistently stored (including in application, system or web application firewall logs) and none should be communicated in clear text across the internet.  It was suggested that copies in memory should be over written rather than abandoned.  There was also guidance to minimize the number of people (internal employees and such) that could actually see the decrypted information. 

That's what I can remember off the top of my head anyways.


-----Original Message-----
From: owasp-vancouver-bounces at lists.owasp.org [mailto:owasp-vancouver-bounces at lists.owasp.org] On Behalf Of Rastislav Hodul
Sent: Friday, July 23, 2010 9:15 AM
To: owasp-vancouver at lists.owasp.org
Subject: Re: [Owasp-vancouver] OWASP Chapter Meeting, July 22nd

Hi Yvan and all,

thank you for great two presentations yesterday!

I'm the one who asked about PCI certification. It would be greatly appreciated if anyone with an experience in this area would share the thoughts via a presentation.

Yvan asked me if I want to do it. Sorry, but I'm the one who needs to learn :).

I can't reveal much about the application. The only think I can say at this point is that we absolutely must store CC information for later use.

Thank you.

Rastio Hodul
rhodul at gmail.com

On Thu, Jul 22, 2010 at 10:50 PM, Yvan Boily <yvanboily at gmail.com> wrote:
> Thanks to everyone who came out, with 12 people, and some great 
> discussions on Risk Methodologies and Clouds!
> One of the outstanding questions from the meeting was related to Cloud 
> Hosting and PCI Payment processors:
> During my presentation on Cloud Technologies & Risks, one of the 
> attendees asked about ways of reducing the challenge of getting a 
> payment application that had to store the full credit card number for recurring transactions.
> Unfortunately we didn't have any people well versed in this area; is 
> there anyone on the list who can speak to PCI certification and Cloud 
> applications?
> I also mentioned the OWASP Testing Guide v4 work that is underway, and 
> the Application Security stack exchange.
> Guide: 
> https://lists.owasp.org/pipermail/owasp-testing/2010-July/001829.html
> Stack Exchange: http://area51.stackexchange.com/proposals/8431
> Once I receive the slides from Erasmus I will arrange to have them 
> posted to the OWASP Vancouver chapter.
> Thanks again to Martin Kyle and Sierra Systems for hosting the 
> meeting, and agreeing to host chapter meetings going forward!
> The next meeting is scheduled for October 21st, and we tentatively 
> have a presenter from IBM to do a technical discussion on application 
> security, but we can also have another speaker.
> Here are the remaining topics that were requested, do we have any 
> volunteers to do a presentation at the October meeting?
>   - OWASP Top Ten
>   - Digital Forensics
>   - Web Application Firewalls
>   - Fuzzers
>   - Exploitation Techniques
>   - Security Development Lifecycle
> Vote for your preferred topic for October 21st here:
> http://www.micropoll.com/akira/mpview/972139-267232
> I look forward to seeing you all at the next meeting!
> Yvan Boily
> _______________________________________________
> Owasp-vancouver mailing list
> Owasp-vancouver at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-vancouver
Owasp-vancouver mailing list
Owasp-vancouver at lists.owasp.org

More information about the Owasp-vancouver mailing list