Pci DSS

Walter D Vaughan Jr wvaughan at steelerubber.com
Tue Sep 17 11:15:23 PDT 2013


> -----Original Message-----
> From: ken_wakeman at me.com [mailto:ken_wakeman at me.com]
> Sent: Tuesday, September 17, 2013 12:46 PM
> Subject: Re: Pci DSS
> 
> Well I may be ok then.
> 
> Running Fp 5.6
> Openserver 6.0
> 
> But I think that I would need to decrypt on tha auto process if the user
needs
> to view the encrypted info.
[Walter D Vaughan Jr] 
No one after a card is processed should ever need to access it within
filePro. Burn it instantly.
Deal with the card at the authorized.net or your processor level
You will fail PCI compliance if you think people need access to card
information
> 
> Second , looks like no index then on that field.
[Walter D Vaughan Jr] 
Why would you want an index on credit card field
- you should never have to look up a card number. . Typed a wrong number or
amount? Again you deal with it at the processor level. They need a refund?
"I will need your card again Ms Smith in order to refund your order. We used
a card that ended in 4789 last time, can you give me that card number
again?" 
> 
> Thoughs ?
Your problem is going to have a layered access control. And a million other
things like enforcing a password policy and having a written document
describing how you will spot check your network from someone setting up an
ad-hoc wi-fi network without your knowledge.

Some banks will work with helpful sites like http://www.compliance101.com/
to help you through the process.

And remember you will fail. If you are going to hold card numbers then you
need to "be aware of everyone who has access to your sensitive systems, from
employees to vendors, and be sure to track their network activity" (Visa
Req. 10) First part easy, second part not so much.

The point is, you have GOT to get out of the holding cardholder information
business in your systems.




More information about the Filepro-list mailing list