[Phpwm] PCI DSS security standard

David Edwards revlob at gmail.com
Fri Mar 28 09:41:18 GMT 2008 

I've read through a copy of the PCI standard, and in summary, a lot of
it is common sense (I'd hope). From a software perspective, you need
to keep your platform updated with all the relevant security patches,
use SSL for the transfer of credit card numbers, etc.

The not-so-common-sense stuff is mostly about data storage, access,
and auditing. For example, you need to ensure that you do not store
the credit card security codes (CVV), and when you output a credit
card number, you must obscure all but the last four digits.

I found the guidance document to be quite good at explaining the
requirements. It can be found here:

https://www.pcisecuritystandards.org/pdfs/navigating_pci_dss_v1-1.pdf

Regards,

Dave Edwards

On 27/03/2008, Phil Beynon <phil at infolinkelectronics.co.uk> wrote:
>  > alan dunn wrote:
> > | We wonder if others in the group are familiar with the 'Payment Card
> > | Industry Data Security Standard' and if so does anyone have any
> > | experience of being audited or gaining compliance certification for any
> > | customer apps they are hosting?
> >
> > No; however a friend of mine wrote a fairly good article in Linux USer
> > and Developer some months ago covering the various aspects that need to
> > be 'covered' and how this can be done using Linux+FLOSS stuff.
> >
> > Some of the things were (from memory) along the lines of "the database
> > can't be connected directly to the internet"
> >
> > If you're interested, I'll try and hassle him and see if he can/will
> > make the original text to the article available somehow.
> >
> >
> > | Here is a direct quote from our client's email "all companies which
> > | handle credit card data must be PCI DSS compliant by the end of March.
> > | This is the Payment Card Industry Data Security Standard which all
> > | companies have to comply with. It's all really technical but the main
> > | point is that if you are not compliant then the responsibility for any
> > | fraud sits you with you and not with the banks"
> > |
> > | Here is a link: http://www.itgovernance.co.uk/pci_dss.aspx
> > |
> > | The issue of 'responsibility for fraud' certainly raises some
> > | interesting contractual questions about the consequences of hosting
> > | customer data - especially credit card data.
> >
> > Yes it does.
> > But, I think it's a necessary step to ensure that people's data isn't
> > lost. If it happens to make web site operators think about the security
> > of their application, then all the better.
> >
> >
> > Thanks
> > David.
>
> Alan,
> This is something I am actively involved with for hosted customers.
> I am writing up a list of flaws in their procedures and am just about to
> tell securitymetrics what a load of bollocks their testing process actually
> is. They don't seem to have any comprehension that a site can be siting on
> shared hosting for one thing.
> Everytime I get anywhere near actual compliance all that happens is they
> move the goalposts yet again and fail a whole load of new items, including
> now the latest release of Actinic Catalog software.
> If its something you are working towards as well I'd be interested to see
> how you were getting past various hurdles.
>
> Phil
>
>
> _______________________________________________
> Phpwm mailing list
> Phpwm at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/phpwm
>

More information about the Phpwm mailing list