PCI Security Standard

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Has anyone on this board heard of this?  It is something set up by Visa
and Mastercard stating that if you are taking payments you need to
adhere to a list of requirements.

I am working with a client who wishes to use Authorize.NET as a payment
gateway.  We currently encrypt all of our credit cards, and we handle
sessions using a database and GUIDs.

My client is telling me that the way we are doing session is not PCI
compliant.  Does anyone know what he is talking about?

Thank you for any insight.


Re: PCI Security Standard

On 14 Jun 2006 13:02:43 -0700, danielle.m.manning@gmail.com opined:
Quoted text here. Click to load it

Google is your friend

Displayed Email Address is a SPAM TRAP
Our DNSRBL - Eliminate Spam: http://www.TQMcube.com
Multi-RBL Check: http://www.TQMcube.com/rblcheck.php
The Dirty Dozen Spammiest Ranges: http://tqmcube.com/dirty12.php

Re: PCI Security Standard

Thanks, I had actually seen that document, I was more interested in
hearing if or if not (and if not -- why) the use of GUIDs and database
sessions might not be pci compliant.

David Cary Hart wrote:
Quoted text here. Click to load it

Re: PCI Security Standard

danielle.m.manning@gmail.com wrote:
Quoted text here. Click to load it

General merchant guidance (CISP)

Data standards (PCI)
This is really just a taxonomy of categories for problems, not hard and
fast rules about avoiding them, or mandatory requirements.

Owasp general best practice advice on session-related issues.

Quoted text here. Click to load it

PCI 6.5.3 gives the vague comment

"Cover prevention of common coding vulnerabilities in software
processes, to include:  [...] Broken authentication/session management
(use of account credentials and session cookies)"

So basically just do decent competent work and you're covered. Don't
have fragile, informative, guessable or subvertable sessions. As to
whether you're currently compliant, then you'd have to judge what
you're doing against some standard, such as perhaps the owasp guidance.
PCI certainly doesn't _forbid_ sessions or cookies, if done

Site Timeline