IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [pci-dss]

An acronym for Payment Card Industry (PCI) Data Security Standard (DSS). A set of rules and policies for protecting information related to card based financial instruments.

668 questions
107
votes
5 answers

Being told my "network" isn't PCI compliant. I don't even have a server! Do I have to comply?

We are a brick and mortar company... literally. We are brick masons. At our office we connect to the internet through our cable modem provided to us by Spectrum Business. Our Treasurer uses a Verifone vx520 card reader to process credit card…
user3512967
  • 793
  • 2
  • 5
  • 6
83
votes
7 answers

How many digits of a Visa card number can vendors disclose on receipts?

I visited a local McDonald's, and I noticed part of my Visa number repeated on the receipt like this: NNNN NN__ ____ NNNN. (So out of a total of 16 digits it breaks down like this: First six digits revealed, middle six digits hidden, final four…
SimZal
  • 903
  • 1
  • 6
  • 5
72
votes
2 answers

Minimum requirements for storing last 4 digits of credit card number?

We have a merchant website that uses Autorize.net's CIM and AIM. Our users may have multiple credit cards so we'd want to give them opportunity to distinguish between credit cards that they use on site. Currently we think about storing cardholder…
Andrei Botalov
  • 5,267
  • 10
  • 45
  • 73
44
votes
3 answers

Should I disable TLS 1.0 on my servers?

The PCI Data Security Standard 3.1 recommends disabling "early TLS" along with SSL: SSL and early TLS are not considered strong cryptography and cannot be used as a security control after June 30, 2016. The Migrating from SSL and Early TLS…
augurar
  • 583
  • 1
  • 4
  • 7
42
votes
4 answers

How to store credit card information for repeated transactions and still be PCI compliant?

I'm overhauling our absolute time-bomb of an order processing system that would put us out of business tomorrow were we audited for PCI compliance. It's so amateur it's scary. I'm planning on making a case to the higher-ups that the liabilities of…
Ivan
  • 6,288
  • 3
  • 18
  • 22
39
votes
4 answers

Convince the company not to store credit card numbers in our webapp

The company I work for needs a system to perform monthly credit card charges to customer accounts. Customers will be able to update their credit card information from an online interface written in PHP (which will be presented through HTTP over…
M8R-53mg86
  • 393
  • 3
  • 5
36
votes
1 answer

Which is the Best Cipher Mode and Padding Mode for AES Encryption?

As per PCI-DSS 3.4 requirement: For storing Credit Card Data Strong Cryptography should be used. I decided to use AES Encryption which is a strong and mostly recommended crypto for encrypting Credit Card Details. I saw that AES has Cipher Mode and…
RajeshKannan
  • 585
  • 2
  • 7
  • 12
25
votes
5 answers

Does PCI compliance really reduce risk and improve security?

Might as well bring this hot topic to here! For those not in the know: https://www.pcisecuritystandards.org/
Tate Hansen
  • 13,714
  • 3
  • 40
  • 83
25
votes
1 answer

Has anyone achieved PCI compliance on AWS?

All the FAQs, documents and statements published by AWS aside, did any Level 1 merchant or service provider actually achieve PCI compliance on AWS yet? We're evaluating moving some of our services to EC2/VPC, but our auditor is saying that AWS…
Boris Slobodin
  • 351
  • 3
  • 3
25
votes
2 answers

Does storing bank account-routing number combinations fall under PCI DSS Level 1 compliance rules?

I've looked at a number of question/answer threads and docs about PCI compliance, including various results on Google and have not found a definitive answer to this question: Does a web app fall under PCI compliance rules/regs if it collects the…
zealoushacker
  • 353
  • 1
  • 3
  • 5
24
votes
3 answers

PCI Compliance Scan Failing for supporting TLS 1.0, but removing support breaks < IE 10

My company is receiving this message causing us to fail our TrustKeeper PCI compliance scan: Note to scan customer: This vulnerability is not recognized in the National Vulnerability Database. TLS v1.0 violates PCI DSS and is considered an automatic…
sam_so
  • 241
  • 1
  • 2
  • 4
23
votes
4 answers

Why doesn't the client's web browser need to be PCI compliant?

A hypothetical online store that accepts credit card payment will have to be PCI compliant because it receives (transmit), process and possibly store credit card numbers. But the client's web browser is also transmitting a credit card number, albeit…
ixe013
  • 1,912
  • 15
  • 20
23
votes
3 answers

What issues arise from sharing a SSL certificate's private key?

Scenario: I am hosting a website for a my client, who we'll call S. S owns the domain s.com and I own the servers that actually host the website. S now wants to enable SSL on their website. I have generated a private key and CSR on my server, and…
josh3736
  • 2,185
  • 2
  • 17
  • 22
22
votes
2 answers

Effect on PCI compliance of not checking SSL certificate?

PCI DSS states: "[You must...] verify that only trusted SSL/TLS keys/certificates are accepted." Long story short, our payment service provider just asked us to please stop verifying their certificate after we had some SSL handshake issues. Is this…
Eric R.
  • 321
  • 1
  • 5
22
votes
3 answers

Is SSL terminated at a load balancer PCI compliant?

I've read this nice question: Should SSL be terminated at a load balancer? And I have the same question, but with PCI-DSS compliance in mind. Is SSL terminated at the load balancer, with clear communication between the load balancer and the web…
BenMorel
  • 909
  • 1
  • 7
  • 13
1
2 3
44 45