[Owasp-vancouver] OWASP Chapter Meeting, July 22nd

Yvan Boily yvanboily at gmail.com
Fri Jul 23 18:58:59 EDT 2010


Hi Rastislav,

I spoke with some of my colleagues in the PCI QSA space today to get some
better insight into this.  I also approached a local PCI QSA, who has agreed
to come to give a presentation on PCI and do some Q&A at the next meeting,
so if your concerns aren't sorted by then, you can ask in October!

Base on conversations today, the model you would want to pursue would be
something like the following:

1. You have a *core *application that manages your customer account, details
about billing cycles, shopping carts, and all the fun stuff except for the
actual payment details.  This application's presentation tier would reside
in your DMZ.

2. You have a separate application which acts as a *repository *that stores
payment card details.  This application must not be exposed to the internet,
and must reside on a separate network (layer 3 isolation) from the
application and servers described in section 1.  Using a secure means, your
core application makes calls to this application to store and retrieve
payment card details associated with an account, and this application
functions by making calls to your payment processor.

Under this scenario, according to two separate QSAs your core application
would not be subject to PCI verification, however you would have to ensure
that the actual credit card is never stored or processed in your core
application.

The other recommendation that was made was to work within your organization
/ with your customers to complete the PCI DSS Self Assessment
Questionnaire.  You can find this at
https://www.pcisecuritystandards.org/saq/index.shtml

I hope this clarifies the issue.

Regards,
Yvan Boily

On Fri, Jul 23, 2010 at 9:15 AM, Rastislav Hodul <rhodul at gmail.com> wrote:

> Hi Yvan and all,
>
> thank you for great two presentations yesterday!
>
> I'm the one who asked about PCI certification. It would be greatly
> appreciated if anyone with an experience in this area would share the
> thoughts via a presentation.
>
> Yvan asked me if I want to do it. Sorry, but I'm the one who needs to learn
> :).
>
> I can't reveal much about the application. The only think I can say at
> this point is that we absolutely must store CC information for later
> use.
>
> Thank you.
>
> Rastio Hodul
> rhodul at gmail.com
>
>
>
> On Thu, Jul 22, 2010 at 10:50 PM, Yvan Boily <yvanboily at gmail.com> wrote:
> > Thanks to everyone who came out, with 12 people, and some great
> discussions
> > on Risk Methodologies and Clouds!
> >
> > One of the outstanding questions from the meeting was related to Cloud
> > Hosting and PCI Payment processors:
> >
> > During my presentation on Cloud Technologies & Risks, one of the
> attendees
> > asked about ways of reducing the challenge of getting a payment
> application
> > that had to store the full credit card number for recurring transactions.
> > Unfortunately we didn't have any people well versed in this area; is
> there
> > anyone on the list who can speak to PCI certification and Cloud
> > applications?
> >
> > I also mentioned the OWASP Testing Guide v4 work that is underway, and
> the
> > Application Security stack exchange.
> > Guide:
> https://lists.owasp.org/pipermail/owasp-testing/2010-July/001829.html
> > Stack Exchange: http://area51.stackexchange.com/proposals/8431
> >
> > Once I receive the slides from Erasmus I will arrange to have them posted
> to
> > the OWASP Vancouver chapter.
> >
> > Thanks again to Martin Kyle and Sierra Systems for hosting the meeting,
> and
> > agreeing to host chapter meetings going forward!
> >
> > The next meeting is scheduled for October 21st, and we tentatively have a
> > presenter from IBM to do a technical discussion on application security,
> but
> > we can also have another speaker.
> >
> > Here are the remaining topics that were requested, do we have any
> volunteers
> > to do a presentation at the October meeting?
> >
> >   - OWASP Top Ten
> >   - Digital Forensics
> >   - Web Application Firewalls
> >   - Fuzzers
> >   - Exploitation Techniques
> >   - Security Development Lifecycle
> >
> >
> > Vote for your preferred topic for October 21st here:
> > http://www.micropoll.com/akira/mpview/972139-267232
> >
> > I look forward to seeing you all at the next meeting!
> > Yvan Boily
> >
> > _______________________________________________
> > Owasp-vancouver mailing list
> > Owasp-vancouver at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-vancouver
> >
> >
> _______________________________________________
> Owasp-vancouver mailing list
> Owasp-vancouver at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-vancouver
>


More information about the Owasp-vancouver mailing list