pci-compliance

问题 We have a storage bucket which has sensitive data stored in it, in the form of JSON files. For a PCI compliance, we have to make these files read only. Versioning will be enabled on the bucket so Retention policy can not be used. I tried keeping only one account in the bucket permissions with Read Only access, that (not really) partially serves the purpose. But any user with Editor or Owner role can edit the file permissions and change it back to Editable and modify the file. How to restrict

问题 We have a storage bucket which has sensitive data stored in it, in the form of JSON files. For a PCI compliance, we have to make these files read only. Versioning will be enabled on the bucket so Retention policy can not be used. I tried keeping only one account in the bucket permissions with Read Only access, that (not really) partially serves the purpose. But any user with Editor or Owner role can edit the file permissions and change it back to Editable and modify the file. How to restrict

问题 I want to host an application on Windows Azure that stores the credit card information of users who pay to buy subscriptions for a monthly fee. I'd just have to store the card data as securely as possible (encrypt, salt, update database password often, use HTTPS, and so on) I believe I need to be PCI compliant to be able to store this kind of information. My question is can Azure allow me to achieve this? What are my options? Can an application on Azure process credit card payments? 回答1:

问题 As per PCI, we need to stop using SSL and TLS(1.0 and 1.1 in certain implementation) from June 30th 2016 as per http://blog.securitymetrics.com/2015/04/pci-3-1-ssl-and-tls.html We have an client application build on .Net 3.5 which uses HttpWebRequest object to connect to web services. As per MSDN SecurityProtocolType(https://msdn.microsoft.com/en-us/library/system.net.securityprotocoltype(v=vs.110).aspx) supports only Ssl3 and Tls(1.0) on .Net Framework 4 or below. Tls11 and Tls12 are only

问题 It's come to my attention that the internal IP of ec2 instances behind an ELB, even when in a private subnet, are revealed when a particular type of request is issued. specifically one with an empty HOST value. telnet site_url 80 GET / HTTP/1.0 And the returned headers: HTTP/1.1 301 Moved Permanently Cache-Control: max-age=1209600 Content-Type: text/html; charset=iso-8859-1 Date: Thu, 26 Mar 2015 18:47:22 GMT Expires: Thu, 09 Apr 2015 18:47:22 GMT Location: https://10.0.7.35/ Server: Apache

问题 We are working on a project its nature is somewhat ride sharing , I read about PCI Compliance i know we have to be PCI Compliance if we are dealing with credit card or payment i am a little ambiguous do we store our drivers bank info like Account number(encrypted) , Account title etc in database , i have read about Who must be PCI compliant? "If you accept credit cards from your customers, then you must be PCI compliant" reference so if we store only bank account numbers not credit card we

问题 My Question: What is the Best Approach to Ensure Data Security of Small Data? Below I present a concern around symmetric and asymmetric encryption. I'm curious if there is a way to do asymmetric encryption on small data with an equivalent of some sort of "salting" to actually make it secure? If so, how do you pick a "salt" and implement it properly? Or is there a better way to handle this? Explanation of My Concern: When encrypting something that has "bulk" it seems to me that asymmetric

问题 I am evaluating some Payment Gateway options and am looking at PayPal's vault option (similar to Braintree's vault). What I found is that in the case of Braintree's vault storage, I can send credit card info securely (encrypted) to be stored on their servers, thus obviating the necessity of PCI compliancy issues. Does PayPal's vault storage API have a similar way of sending the encrypted credit card info? I am looking at their documentation and it seems as though I need to send un-encrypted

问题 I'm having difficulty meeting PCI-DSS compliance this quarter because of the following problem. When you type the following into a browser... http://www.mygarble.com/main/Community/Chat?command=CHAT_MESSAGE&displayname=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22 ...it responds and, as a consequence, for some reason that I cannot ascertain, the URL in the browswer address bar is changed to the following: http://www.mygarble.com/main/Community/Chat?command=CHAT_MESSAGE&displayname=">

问题 I am new to Braintree and I want to have my own custom UI to store Credit card. I am using the following code to tokenize the credit card. CardBuilder cardBuilder = new CardBuilder() .cardNumber(mCardForm.getCardNumber()) .expirationMonth(mCardForm.getExpirationMonth()) .expirationYear(mCardForm.getExpirationYear()); Card.tokenize(mBraintreeFragment, cardBuilder); I already have PCI SAQ A Compliance level. My question will it be safe carry out this operation considering my PCI level? 回答1: