Pci DSS
ken_wakeman at me.com
ken_wakeman at me.com
Tue Sep 17 11:37:48 PDT 2013
Great points walter !!
I think it is going to look like a
Combination of masking the number on the screen and encrypting when exporting to the banks.
My customer has over 60,000 customer who pay by_weekly amounts on their cards. Therefore we need to keep them and upload directly to the card companies.
Some business decisions will need to be made for sure. But I will need to be prepared for changing how filepro holds the data.
I don't think there is an index on that field anyway. So propably not an issue
Ken
Sent from my BlackBerry device on the Rogers Wireless Network
-----Original Message-----
From: Walter D Vaughan Jr <wvaughan at steelerubber.com>
Sender: filepro-list-bounces+ken_wakeman=me.com at lists.celestial.com
Date: Tue, 17 Sep 2013 14:15:23
To: filePro Mailing List<filepro-list at lists.celestial.com>
Subject: RE: Pci DSS
> -----Original Message-----
> From: ken_wakeman at me.com [mailto:ken_wakeman at me.com]
> Sent: Tuesday, September 17, 2013 12:46 PM
> Subject: Re: Pci DSS
>
> Well I may be ok then.
>
> Running Fp 5.6
> Openserver 6.0
>
> But I think that I would need to decrypt on tha auto process if the user
needs
> to view the encrypted info.
[Walter D Vaughan Jr]
No one after a card is processed should ever need to access it within
filePro. Burn it instantly.
Deal with the card at the authorized.net or your processor level
You will fail PCI compliance if you think people need access to card
information
>
> Second , looks like no index then on that field.
[Walter D Vaughan Jr]
Why would you want an index on credit card field
- you should never have to look up a card number. . Typed a wrong number or
amount? Again you deal with it at the processor level. They need a refund?
"I will need your card again Ms Smith in order to refund your order. We used
a card that ended in 4789 last time, can you give me that card number
again?"
>
> Thoughs ?
Your problem is going to have a layered access control. And a million other
things like enforcing a password policy and having a written document
describing how you will spot check your network from someone setting up an
ad-hoc wi-fi network without your knowledge.
Some banks will work with helpful sites like http://www.compliance101.com/
to help you through the process.
And remember you will fail. If you are going to hold card numbers then you
need to "be aware of everyone who has access to your sensitive systems, from
employees to vendors, and be sure to track their network activity" (Visa
Req. 10) First part easy, second part not so much.
The point is, you have GOT to get out of the holding cardholder information
business in your systems.
_______________________________________________
Filepro-list mailing list
Filepro-list at lists.celestial.com
Subscribe/Unsubscribe/Subscription Changes
http://mailman.celestial.com/mailman/listinfo/filepro-list
More information about the Filepro-list
mailing list