[Owasp-vancouver] OWASP Chapter Meeting, July 22nd

Rastislav Hodul rhodul at gmail.com
Fri Jul 23 19:36:19 EDT 2010

Thank you all for you responses! I'll keep all these in mind.

Special thanks to you Yvan for arranging PCI presentation! It's awesome.


Rastio Hodul
rhodul at gmail.com

On 2010-07-23 3:58 PM, "Yvan Boily" <yvanboily at gmail.com> wrote:

Hi Rastislav,

I spoke with some of my colleagues in the PCI QSA space today to get some
better insight into this.  I also approached a local PCI QSA, who has agreed
to come to give a presentation on PCI and do some Q&A at the next meeting,
so if your concerns aren't sorted by then, you can ask in October!

Base on conversations today, the model you would want to pursue would be
something like the following:

1. You have a *core *application that manages your customer account, details
about billing cycles, shopping carts, and all the fun stuff except for the
actual payment details.  This application's presentation tier would reside
in your DMZ.

2. You have a separate application which acts as a *repository *that stores
payment card details.  This application must not be exposed to the internet,
and must reside on a separate network (layer 3 isolation) from the
application and servers described in section 1.  Using a secure means, your
core application makes calls to this application to store and retrieve
payment card details associated with an account, and this application
functions by making calls to your payment processor.

Under this scenario, according to two separate QSAs your core application
would not be subject to PCI verification, however you would have to ensure
that the actual credit card is never stored or processed in your core

The other recommendation that was made was to work within your organization
/ with your customers to complete the PCI DSS Self Assessment
Questionnaire.  You can find this at

I hope this clarifies the issue.

Yvan Boily

On Fri, Jul 23, 2010 at 9:15 AM, Rastislav Hodul <rhodul at gmail.com> wrote:

> Hi Yvan and all,
> thank you for great two presentations yesterday!
> I'm the one who asked ...

More information about the Owasp-vancouver mailing list