Pci DSS

[Richard Kreiss]

Masking the card number on screen still can expose this information.  Encrypting the card number field and the security code fields(is present) is the best way to insure protection from prying eyes.  The only other thing you would need to do is have a field for the last 4 digits of the card number for identification purposes.

My application transmits each card transaction separately and the whole data package is encrypted.



Richard Kreiss
GCC Consulting

Office: 410-653-2813





> -----Original Message-----
> From: filepro-list-bounces+rkreiss=verizon.net at lists.celestial.com
> [mailto:filepro-list-bounces+rkreiss=verizon.net at lists.celestial.com] On
> Behalf Of ken_wakeman at me.com
> Sent: Tuesday, September 17, 2013 2:38 PM
> To: Walter D Vaughan Jr; filePro Mailing List
> Subject: Re: Pci DSS
> 
> Great points walter !!
> 
> I think it is going to look like a
> Combination of masking the number on the screen and encrypting when
> exporting to the banks.
> 
> My customer has over 60,000 customer who pay by_weekly amounts on their
> cards. Therefore we need to keep them and upload directly to the card
> companies.
> 
> Some business decisions will need to be made for sure. But I will need to be
> prepared for changing how filepro holds the data.
> 
> I don't think there is an index on that field anyway. So propably not an issue
> 
> Ken
> 
> Sent from my BlackBerry device on the Rogers Wireless Network
> 
> -----Original Message-----
> From: Walter D Vaughan Jr <wvaughan at steelerubber.com>
> Sender: filepro-list-bounces+ken_wakeman=me.com at lists.celestial.com
> Date: Tue, 17 Sep 2013 14:15:23
> To: filePro Mailing List<filepro-list at lists.celestial.com>
> Subject: RE: Pci DSS
> 
> > -----Original Message-----
> > From: ken_wakeman at me.com [mailto:ken_wakeman at me.com]
> > Sent: Tuesday, September 17, 2013 12:46 PM
> > Subject: Re: Pci DSS
> >
> > Well I may be ok then.
> >
> > Running Fp 5.6
> > Openserver 6.0
> >
> > But I think that I would need to decrypt on tha auto process if the
> > user
> needs
> > to view the encrypted info.
> [Walter D Vaughan Jr]
> No one after a card is processed should ever need to access it within filePro.
> Burn it instantly.
> Deal with the card at the authorized.net or your processor level You will fail
> PCI compliance if you think people need access to card information
> >
> > Second , looks like no index then on that field.
> [Walter D Vaughan Jr]
> Why would you want an index on credit card field
> - you should never have to look up a card number. . Typed a wrong number or
> amount? Again you deal with it at the processor level. They need a refund?
> "I will need your card again Ms Smith in order to refund your order. We used
> a card that ended in 4789 last time, can you give me that card number again?"
> >
> > Thoughs ?
> Your problem is going to have a layered access control. And a million other
> things like enforcing a password policy and having a written document
> describing how you will spot check your network from someone setting up an
> ad-hoc wi-fi network without your knowledge.
> 
> Some banks will work with helpful sites like http://www.compliance101.com/
> to help you through the process.
> 
> And remember you will fail. If you are going to hold card numbers then you
> need to "be aware of everyone who has access to your sensitive systems,
> from employees to vendors, and be sure to track their network activity" (Visa
> Req. 10) First part easy, second part not so much.
> 
> The point is, you have GOT to get out of the holding cardholder information
> business in your systems.
> 
> 
> _______________________________________________
> Filepro-list mailing list
> Filepro-list at lists.celestial.com
> Subscribe/Unsubscribe/Subscription Changes
> http://mailman.celestial.com/mailman/listinfo/filepro-list
> _______________________________________________
> Filepro-list mailing list
> Filepro-list at lists.celestial.com
> Subscribe/Unsubscribe/Subscription Changes
> http://mailman.celestial.com/mailman/listinfo/filepro-list