All geek questions in one place

PCI compliance costs?

We are developing new software (in fact, this is just one php script) that collects information about the card holder and stores it in the MySQL database. Obviously, we take all safety precautions (firewall, antivirus, SELinux, restrictive access to machines), but we are trying to understand what steps we need to take before taking it live.

As a client, a level 4 seller (no actual transactions, just storing information about the card holder), which scans do we need to go out and find?

Obviously, we will need to check the server / IP address, but what about collecting php script?

+4
source share
1 answer

The fact that your client does not actually perform transactions does not affect their compliance obligation, since PCI / DSS applies as much to the storage of data on the card as it relates to transaction processing if they are classified as a “service provider”. “There are additional obligations.

Depending on your relationship with your client and how you classify your software (on / off-shelf service, etc.), you may also have additional PA-DSS obligations that are targeted at software developers (including only storage) and can get pretty hardcore if you sell something designed to meet PCI requirements.

If you look at a copy of the V2 specification, all requirements are listed, 6.6 explains what you need to do with the application’s public web page (for example, “independent” code viewing or application firewall).

+4
source

Source: https://habr.com/ru/post/1338936/

More articles:


All Articles