♥toyicebear Posted June 6, 2012 Share Posted June 6, 2012 Relationship between PCI DSS and PA-DSSClarified that use of a PA-DSS compliant application alone does not make an entity PCI DSS compliant. When it comes to protecting yourself/your business from liabilities do not take the word of internet keyboard warriors at face value. (especially when they are interpreted to favor their own practices) Contact your own merchant account provider and get clarification on any issues/questions. (If you are "afraid" to mention your current practices to your merchant account provider then that itself should be a HUGE flashing warning sign that you are probably doing something incorrectly) If you fail to do your "due diligence" and just plod on as before, one day you might get a very nasty surprise when you find out that lamenting "BUT I DID NOT KNOW THAT" or "BUT I THOUGHT IT MEANT THAT" or "MY INTERPRETATION OF THAT WAS" does not hold much weight when i comes to payment data security. Quote Basics for osC 2.2 Design - Basics for Design V2.3+ - Seo & Sef Url's - Meta Tags for Your osC Shop - Steps to prevent Fraud... - MS3 and Team News... - SEO, Meta Tags, SEF Urls and osCommerce - Commercial Support Inquiries - OSC 2.3+ How To To see what more i can do for you check out my profile [click here] Link to comment Share on other sites More sharing options...
mrbyte Posted June 6, 2012 Share Posted June 6, 2012 My understanding is that 3.2.2 over-rules 3.2, thus CVV should never (in any circumstance) be stored before during after authorization... However 1.1.2 of PA-DSS is interesting, and seems to totally contradict my understanding of it! Thanks for the conversation, it's been illuminating. You are most welcome ;-) I can see how one would think that 3.2.2 would overrule 3.2, but I believe it's actually subject to 3.2. It's only the PA-DSS that is specific in each point that it's after authorization. I've never advocated storing sensitive information beyond authorization, ever. When it comes to protecting yourself/your business from liabilities do not take the word of internet keyboard warriors at face value. (especially when they are interpreted to favor their own practices) Contact your own merchant account provider and get clarification on any issues/questions. (If you are "afraid" to mention your current practices to your merchant account provider then that itself should be a HUGE flashing warning sign that you are probably doing something incorrectly) If you fail to do your "due diligence" and just plod on as before, one day you might get a very nasty surprise when you find out that lamenting "BUT I DID NOT KNOW THAT" or "BUT I THOUGHT IT MEANT THAT" or "MY INTERPRETATION OF THAT WAS" does not hold much weight when i comes to payment data security. Quite right. One must do their own research. I talked to my provider yesterday, and while I didn't make it a point blank question, I did mention it in passing, and there was no outburst of "you CAN'T do that!!!!" However, I also found out that I was incorrect in my estimate of what a gateway will cost. So, personally, I will be getting one if my site passes 5 orders a month. (I had set my "trigger" at 10 per month before.) My provider didn't seem to think this was a bad thing. Quote Link to comment Share on other sites More sharing options...
Dennisra Posted June 7, 2012 Share Posted June 7, 2012 You're right, no matter how hard I try to fix you, you're still stupid, Dunweb. I have the PCI spec in front of me, and 3.2 in it's entirety says: 3.2 Do not store sensitive data after authorization, even if encrypted. Sensitive data includes the data as cited in following Requirements 3.2.1 through 3.2.3 Now, do I need to continue, or are we all following along. Good. Note the note that says sensitive data may be stored if there is a business justification and it is stored securely? Is it because you make so much money misinterpreting the standards? Or is it really just an inability to read, comprehend and understand basic English and how outlines and such work? Either way, you are a profiteering blowhard. As far as "Turning me in" go ahead. Good luck with that... Cheers Well said and thank you!! mrbyte 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.