Questions tagged [pci-dss]

The Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC).

The PCI-DSS applies whenever an organisation stores, processes or transmits payment card data. Payment cards are Visa, MasterCard, JCB, American Express and Diners International branded cards. Compliance with PCI-DSS is measured either by a self assessment for small organisations or through an on-site assessment by a QSA for larger organisations. The size cut-offs are determined by the card schemes and based on the number of transactions that an organisation is involved with. Associated standards are PA-DSS and PTS-DSS for payment applications and PIN transaction security. All of these standards are set and maintained by the PCI Security Standards Council. Compliance with the standards is mandated by the various card schemes but is communicated through acquiring banks or other parties. Failure to comply to PCI-DSS can result in fines or other sanctions.

Latest version of PCI standards PCI DSS 3.2.1

211 questions

votes

3 answers

Is PCI SAQ A sufficient for an eCommerce website with a custom payment page?

The question - Our payment flow is as follows: 1 - Customer adds items to basket. 2 - When viewing basket, customer can see products & also has the option of entering a delivery address AND a billing address, but NO sensitive card details. 3 - The…

pci-dss pci-compliance

asked Jan 31 '14 at 16:12

flukeflume

votes

1 answer

PCI Compliance + Magento + PHP version

I'm trying to get PCI Compliance for my dedicated server (Red Hat Enterprise Linux), which is running Magento. When I first installed Magento on the server, I realized that RHEL comes with a PHP version which is too old for Magento (5.1.6). So, I…

php yum pci-dss rhel

asked Dec 03 '09 at 01:42

Erebus

1,998
2
19
32

votes

3 answers

Vulnerability reports from PCI-DSS scan

We have had a PCI scan on one of our websites passed on to us by one of our clients. There are a number of reports of vulnerabilities that look something like this: Network service: 80/443 Application URL: http://www.oursite.com/signup.php The…

xss sql-injection pci-dss

asked Nov 23 '09 at 17:10

robjmills

18,438
15
77
121

votes

2 answers

storing credit card info

So I would like to modify a PHP / MySQL application in order to store credit card but not cvv and bank account info securely. PCI DSS require 1024 RSA/DSA. A small number of users will be given private key in order to decrypt the batch file of…

encryption rsa pci-dss

asked Nov 19 '09 at 13:01

JM.

votes

1 answer

PABP 1.4 versus PA-DSS - Do we need to upgrade?

Our applications are certified and on the list of certified PABP compliant applications. We were certified with the latest PABP 1.4. Now, PA-DSS is the new kid on the block. Is it an automatic upgrade to PA-DSS from PABP 1.4 or do we have to be…

pci-dss

asked Nov 17 '09 at 19:07

user195488

votes

2 answers

security metrics

When am executing the scanning on security metrics for PCI Compliance, I am getting this following error message. Does anyone know how to resolve this? *Title: vulnerable web program (phpRPC) Impact: A remote attacker could execute arbitrary…

security metrics pci-dss pci-compliance

asked Mar 23 '13 at 20:01

joby john

votes

2 answers

Process to detect security vulnerability in my Iphone app

I am working on an Iphone application and I have a credit card payment process. I also save the credit card for quick use later. I want to make sure I follow all the security standarts presented by…

iphone security pci-dss

asked Feb 26 '13 at 13:26

Y2theZ

10,162
38
131
200

votes

1 answer

EC2 Security Groups vs VPC for PCI

Is using VPC required for PCI on a platform level? Or can PCI be achieved by security groups alone? I'm only asking this because I've gotten mixed responses from Amazon on this question, the sales reps state VPC is required to be PCI compliant,…

amazon-ec2 pci-dss

asked Jan 09 '13 at 04:51

Jonathan

votes

2 answers

Sending 12 first digits in PAN, is that considered PCI-DSS compliant?

I'm looking at a solution that requires us to capture and send the first 12 digits of a customers PAN in order to initiate a transaction that will be finalized by the customer at a later stage with an external payment processor. A transaction log…

pci-dss

asked Nov 09 '12 at 10:49

Kalle Kula

votes

1 answer

How to disable SSLv2 in favor of SSLv3 for WCF net.tcp and https services

As part of a PCI compliance testing we discovered that our WCF net.tcp endpoints that are secured using transport level security and certificates are allowing for SSLv2 connections. Our services are self hosted, so we are not working with IIS to…

wcf ssl wcf-security pci-dss pci-compliance

asked Oct 24 '12 at 14:42

Kevin Green

1,137
11
21

votes

1 answer

I have a few questions for PCI compliance

I'm looking at the Merchant accounts, and from what I understand, storing a shipping address is okay for PCI Compliance, is this true? Also, it seems Recurly's API would require SAQ C or SAQ D and I looked at some sample questions: Do…

pci-dss

asked Jul 05 '12 at 21:34

Strawberry

66,024
56
149
197

vote

1 answer

How do you provide encryption keys to a daemon or service?

I am trying to figure out a solution to a 'chicken and egg' issue which I have come across in a project I am working on for a new venture. The systems in question are handing credit card data and as such the card numbers etc need to be stored…

security cryptography daemon pci-dss pci-compliance

asked Feb 10 '12 at 12:29

Matthew Savage

3,794
10
43
53

vote

4 answers

Securing site against XSS attacks

I have an ecommerce site which has to be PCI compliant. The issue I have is that it fails on a XSS attack: www.mydomain.com?qs=%3c%2fscript%3e%3c script%3ealert(12345)%3c%2fscript%3e Is there a way in .htaccess to strip out any malicious script…

php .htaccess xss pci-dss

asked Dec 07 '11 at 12:10

user180386

vote

0 answers

PCI - Store Cryptographic Keys Securely, Requirement 3.4

From the PCI DSS2 docs: https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf 3.4.1.b Verify that cryptographic keys are stored securely (for example, stored on removable media that is adequately protected with strong access…

encryption e-commerce pci-dss pci-compliance

asked Oct 05 '11 at 18:31

Chris Moschini

36,764
19
160
190

vote

0 answers

curl vulnerabilities reported against a container image that runs a dotnetcore process

We're running a dotnetcore web application on a Debian 11.7-slim image in AWS ECS+Fargate. Snyk Container is reporting that curl 7.74 is present on the image and suffers from "CVE-2023-23914 - cleartext transmission of sensitive information". We…

docker security pci-dss snyk

asked Jun 27 '23 at 09:36

Peter McEvoy

2,816
19
24

Prev 1 2 3

…

13 14 Next