pci-dss

问题 We are going to get a Payment Gateway developed from a 3rd party and require this payment gateway to be PA-DSS and the environment to be PCI-DSS compliant. Payment Gateway will be encrypting sensitive information like (passwords, pins, credit and debit card information) and will save it into database. We require that the Key to encrypt and decrypt this information must be changed on regular basis (say quarterly). The requirement is also not to hard code this key into the code. What would be

问题 We publish an update patch to our software package in a single executable file. The file is signed with an Authenticode digital signature, using the certificate issued to us. The file is downloaded to Windows XP or Vista systems that our customers operate, where they run it in order to update our software. Our PCI compliance auditor has asked us to protect against the following situation: After downloading our executable file, a malicious person alters the file. An observant person would be

问题 I have a business requirement that forces me to store a customer's full credit card details (number, name, expiry date, CVV2) for a short period of time. Rationale: If a customer calls to order a product and their credit card is declined on the spot you are likely to lose the sale. If you take their details, thank them for the transaction and then find that the card is declined, you can phone them back and they are more likely to find another way of paying for the product. If the credit card

问题 We are working on a project its nature is somewhat ride sharing , I read about PCI Compliance i know we have to be PCI Compliance if we are dealing with credit card or payment i am a little ambiguous do we store our drivers bank info like Account number(encrypted) , Account title etc in database , i have read about Who must be PCI compliant? "If you accept credit cards from your customers, then you must be PCI compliant" reference so if we store only bank account numbers not credit card we

问题 I am evaluating some Payment Gateway options and am looking at PayPal's vault option (similar to Braintree's vault). What I found is that in the case of Braintree's vault storage, I can send credit card info securely (encrypted) to be stored on their servers, thus obviating the necessity of PCI compliancy issues. Does PayPal's vault storage API have a similar way of sending the encrypted credit card info? I am looking at their documentation and it seems as though I need to send un-encrypted

问题 In lieu of saving credit card information locally for recurring payments I was thinking I could request an authorization from a payment gateway for a certain amount and then capture that amount multiple times, every month or so. One Payment Gateway's documentation says "Captures can be submitted for an amount equal to or less than the original authorization". That's a little bit of a problem since these recurring payments would be variable (ie. you're billed based on how many API requests you

问题 I'm having difficulty meeting PCI-DSS compliance this quarter because of the following problem. When you type the following into a browser... http://www.mygarble.com/main/Community/Chat?command=CHAT_MESSAGE&displayname=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E%22 ...it responds and, as a consequence, for some reason that I cannot ascertain, the URL in the browswer address bar is changed to the following: http://www.mygarble.com/main/Community/Chat?command=CHAT_MESSAGE&displayname=">

问题 I am developing an Android application (native) which contains a module to make reservations on hotels \ taxi etc . I am planning to accept the payment details (amount, credit card number, expiry date etc ) from a screen of my application and pass them to my middle layer ( hosted in IIS server in my company premises ) via a API call. Then my middle layer will call the payment gateway APIs and will pass the payment info to them for processing. Communication between both mobile app to middle

问题 I am new to Braintree and I want to have my own custom UI to store Credit card. I am using the following code to tokenize the credit card. CardBuilder cardBuilder = new CardBuilder() .cardNumber(mCardForm.getCardNumber()) .expirationMonth(mCardForm.getExpirationMonth()) .expirationYear(mCardForm.getExpirationYear()); Card.tokenize(mBraintreeFragment, cardBuilder); I already have PCI SAQ A Compliance level. My question will it be safe carry out this operation considering my PCI level? 回答1:

问题 Is there an easy way or online tool for checking a site's SSL vulnerability issues? From the PCI standards I see that a site has to force SSLv3 or TLSv1 protocols and high security encryption algorithms. And I need to check if my site is compliant with those PCI DSS standards. 回答1: You can download Nessus which is free and scans for a number of known SSL vulnerabilities to see the list of SSL related scans go to this link on the left side click search then enter SSL into the search box, there