[Seaside] Anyone familiar wityh PCIDSS?
philippe.marschall at gmail.com
Thu Jul 26 16:13:41 UTC 2012
On Thu, Jul 26, 2012 at 5:41 PM, Boris Popov, DeepCove Labs
<boris at deepcovelabs.com> wrote:
> As with any audit, exact interpretation and enforcement is up to any
> given auditor. I know it's commonly accepted that database servers are
> in a standalone secure zone with no other functions residing in that
> zone. It's not been an issue putting application servers and web servers
> on the same hosts in the DMZ for us.
> As for storage of card data, all decent processors allow you to process
> a transaction and use some notion of a resulting token for any follow up
> transactions leaving the storage concerns to the processor. If you never
> store card data and only have it in memory while it's transiting your
> system on the way to the processor, then your (self-)audit and
> compliance becomes trivial in most cases. Some processors, like Stripe,
> avoid passing card data through your environment altogether, by having
> the browser send the card data to them and replacing it with a token
> that then gets submitted to your application to initiate a payment.
Avoiding storing card data should be your top priority. Life is so
much easier and safer this way.
More information about the seaside