pci-dss interview questions
Top pci-dss frequently asked interview questions
If I were to use separate Windows Server that was PCI-DSS compliant, would I still be compliant if I had a SQL Azure hosting the backend? This is assuming that I'm compliant at the application layer, and that I'm only storing permitted values (like no CVV), etc.
Source: (StackOverflow)
I have a shopping cart flow like this:
Here's what I dont want to do :
- Send the user to a third party page (because I want a single page checkout and retain branding)
- Minimize PCI compliance requirements
- Authorize payments and cancel them if the user doesn't confirm. This is asking for trouble on many levels!
Since I need a confirmation page I think I will need to use some kind of tokenization system such as offered by braintreepayments. You basically store the credit card number on their service and they give you back a token that represents that number. You can then make a charge against that card at any time for any
amount. This certainly seems the most flexible solution.
I'm kind of going round in circles trying to figure out if this is the best solution or not :
- I don't know if BrainTree is the only company that offers such a service, but I'm also not convinced its really necessary.
- If I temporarily store the CC in session until the user confirms it I can still use pretty much any payment gateway. Therefore the question becomes 'does it matter if I store the CC in memory temporarily' and to what degree.
The 'purest' safest approach seems to be to redirect to braintree (or someone else that offers a similar gateway).
Edit (after assigning bounty):
I've concluded that I absolutely have to have a system where we only need to meet level A for PCI. Been studying PCI in more detail and these questionnaires are the relevant ones for card-not-present merchants (i.e. e-commerce).
SAQ A : (when CC numbers don't even touch our server). You still have to fill out this questionnaire if you're selling online, but it is pretty easy.
SAQ D : (where CC numbers touch our server EVEN IF WE DONT STORE THEM)
Take a look at these questionnaires reveals a huge delta between requirements. The PCI requirments are often misrepresented as being a simple list such as 'maintain a firewall', 'security policy', 'limit physical access' - but if you actually read questionnaire D you'll see it has order of magnitute more questions and requirments. For instance you have to answer whether or not your server is protected by a video camera, and what kind of data encryption you have on your server.
I'd really appreciate knowing what actual products or providers out there that will facilitate me doing what I want to do. If there really is only 1 or 2 companies out there that let me do this then I need to know.
I've got no relationship to Braintree except I've managed to get on their email marketing list. They're just the only company I've managed to find that does this. If you are running another company doing the same then by all means blow your own trumpet. PCI requirements are only going to become more stringent over time and anyone who has got this far reading my question probably already realizes that.
Source: (StackOverflow)
Is there an easy way or online tool for checking a site's SSL vulnerability issues?
From the PCI standards I see that a site has to force SSLv3 or TLSv1 protocols and high security encryption algorithms. And I need to check if my site is compliant with those PCI DSS standards.
Source: (StackOverflow)
This question talks about different payment processors and what they cost, but I'm looking for the answer to what do I need to do if I want to accept credit card payments?
Assume I need to store credit card numbers for customers, so that the obvious solution of relying on the credit card processor to do the heavy lifting is not available.
PCI Data Security, which is apparently the standard for storing credit card info, has a bunch of general requirements, but how does one implement them?
And what about the vendors, like Visa, who have their own best practices?
Do I need to have keyfob access to the machine? What about physically protecting it from hackers in the building? Or even what if someone got their hands on the backup files with the sql server data files on it?
What about backups? Are there other physical copies of that data around?
Tip: If you get a merchant account, you should negotiate that they charge you "interchange-plus" instead of tiered pricing. With tiered pricing, they will charge you different rates based on what type of Visa/MC is used -- ie. they charge you more for cards with big rewards attached to them. Interchange plus billing means you only pay the processor what Visa/MC charges them, plus a flat fee. (Amex and Discover charge their own rates directly to merchants, so this doesn't apply to those cards. You'll find Amex rates to be in the 3% range and Discover could be as low as 1%. Visa/MC is in the 2% range). This service is supposed to do the negotiation for you (I haven't used it, this is not an ad, and I'm not affiliated with the website, but this service is greatly needed.)
This blog post gives a complete rundown of handling credit cards (specifically for the UK).
Perhaps I phrased the question wrong, but I'm looking for tips like these:
- Use SecurID or eToken to add an additional password layer to the physical box.
- Make sure the box is in a room with a physical lock or keycode combination.
Source: (StackOverflow)
We need to be PCI compliant for some credit card processing we do. How do people do this in other shops?
How do you secure your SVN?
How do you secure your build server?
How does code get migrated from the developers to production?
Source: (StackOverflow)
We're developing a new piece of software (really just a single php script) that collects cardholder information and stores it in a MySQL database. Obviously we're taking every precaution with security (Firewall, Anti-Virus, SELinux, restrictive access to the machines), but we're trying to understand what steps we need to take next before taking it live.
As the client is a Level 4 Merchant (no actual transactions, just storage of cardholder information), what scans do we need to go out and find?
Obviously we'll need to have the server/IP scanned, but what about the php script collecting the data?
Source: (StackOverflow)
Has anyone got practical experience or a reference for a scheme that implements a key management scheme that would comply with the PCI DSS security standard?
There are obviously quite a few implementations around given the number of companies compliant with PCI DSS but trying to find details of them is tough. When it gets down to storing private data the discussion normally stops at which encryption algorithm to use. After that there's normally a statement about appropriately storing the private key but no discussion about practical ways to do it or things like periodically changing the key or providing the key to applications etc.
Specificlly I'm interested in thee requirements from sections 3.5 and 3.6 of the PCI DSS standard.
3.5.2 Store cryptographic keys securely in the fewest possible locations and forms.
3.6.a Verify the existence of key-management procedures for keys used for encryption of cardholder data. Note: Numerous industry standards for key management are available from various resources including NIST, which can be found at http://csrc.nist.gov.
3.6.4 Verify that key-management procedures are implemented to require periodic key changes at least annually.
I've had a look at the NIST Cryptographic publications as the PCI DSS requirements document suggests but apart from recent notes of a Cryptographic Key Management Workshop there doesn't appear to be much there in the way of real implementable schemes or standards.
As to what I'm trying to do it's not:
- Store passwords + salts as one way hashes for authentication,
- Choose a strong symmteric algorithm for data encryption,
- Avoid needing to store private data in the first place.
- Avoid the need for key management with other mechanisms: physical security, database security, dragons and wizards etc.
All of which are valid concerns but in this case are not the answer. The nuts and bolts of my requirements are in a different SO question .Net Design pattern for storing and retrieving sensitive per user data but it all boils down to key management hence this more refined question.
Source: (StackOverflow)
I am about to inherit and work on a small business retail website that is very poorly designed. Among other things, the greatest concern is with the current credit card processing.
Currently, the owner retrieves credit card information (name, number, CVV2 and expiration date) from an online order form and saves all of that information in plain text within a MySQL database. A notification then gets sent to his email that someone has ordered. Thereafter, he has an administrative back-end page that he views the orders and credit card information which he uses to process offline with his own merchant.
After retrieving the information from the back-end page, the credit card number and CVV2 is immediately deleted (PHP script automatically called). The information is also deleted if that page is not accessed within 7 days. So, there is a potential for all of the information to be in the database in plain text for seven days before transaction processing.
This does not seem like a good design and may be illegal. If it is illegal, I am going to have to break this to him, because he does not realize that yet.
My question: Besides being insecure, is this illegal or a violation of terms of use (PCI DSS)? And, if so, how can I prove it to him so that he will allow me to change his ways (obviously, I don't want to put my hands into something that is illegal. Also, sometimes the wording of terms of use can seem subjective)? Finally, what are the best options for fixing this issue (3rd party online merchant, becoming PCI DSS compliant, or something else)?
Source: (StackOverflow)
I'm trying to get a Fedora 14 server running Apache 2.2.17 to pass a PCI-DSS compliance scan by McAfee ScanAlert. My first attempt using the default SSLCipherSuite and SSLProtocol directives set in ssl.conf...
SSLProtocol ALL -SSLv2
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
failed citing that weak ciphers were enabled. Scans with ssllabs and serversniff tools revealed that 40 and 56 bit keys were indeed available.
I then changed to...
SSLProtocol -ALL +SSLv3 +TLSv1
and tried all of the following strings reported on various sites to pass PCI scans from assorted vendors...
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
SSLCipherSuite ALL:!ADH:!NULL:!EXP:!SSLv2:!LOW:!MEDIUM:RC4+RSA:+HIGH
I am restarting apache after updates and apachectl configtest says that my syntax is ok. Subsequent ScanAlert scans have all failed and other scanning tools continue to show 40 and 56 bit ciphers available. I have tried adding SSLProtocol and SSLCipherSuite directly to the VirtualHost in httpd.conf and that has not helped.
It actually feels like something somewhere is overriding these settings but I cannot find anything anywhere that sets these values other than ssl.conf.
If someone could provide a known good SSLCipherSuite that has passed a recent PCI scan it would help a lot in tracking down my problem.
Thanks.
Source: (StackOverflow)
If i have a web application and i receive credit card data transmitted via a POST request by a web browser over HTTPS and instantly open a socket (SSL) to a remote PCI compilant card processor to forward the data and wait for a response, am i allowed to do that? or is this receiving the data with my application and forwarding it already subject of "processing credit card data"?
if i create an iframe that is displayed in a client browser to enter cc data and this iframe posts the data via HTTPS to remote card processor (directly!) is this already a case of processing credit card data? even if my application code 'doesnt touch' the entered data with any event handlers?
i'm interested in the definition "credit card data processing". when does it start to be a cc data processing application? can somebody maybe point me to that section in PCI-DSS standard that clearly defines when you start to 'be a processing application'?
Thanks,
Source: (StackOverflow)
I am in this very unfortunate situation:
- My website is using outdated software (security patches are applied) with OpenSSL 0.9.8o 01 Jun 2010 which doesn't support TLSv1.1/1.2
- I also have payment gateway which is PCI DSS compliant therefore SSL and early TLS is disabled there
My website used to exchange data with payment gateway but as TLSv1.0 is dropped I can no longer use php's cURL library or even file_get_contents() (or wget/lynx/curl via shell)
Is there any workaround, any option how to connect TLSv1.1+ secured server without using built-in libraries?
I know some classes exists in PHP like phpseclib which is SSH client, great for people who can't use SSH2 module
Does something like that exists for PHP? Is there any way I can connect to my gateway?
So far my best idea is connecting to gateway thru other server (with updated software)
Source: (StackOverflow)
I have a couple of clients that want to take credit card details on their website that they can then bill in the future (one runs courses and users are only billed 4 weeks before their course if they haven't cancelled and one runs a charity and each fundraiser is required to raise at least $3k, anything less than that is taken from their credit card). I totally appreciate they can't/shouldn't take and store the cc data on their own sites but I wanted to check your views on the best solution to do this. Obviously if the users were paying immediately online then it would be fine and any payment gateway could be used however they need to not bill them immediately and charge the cards an indeterminate amount of time in the future an amount (usually a couple of months later) that can only be established just before payment.
Am I right in thinking that the best way to do this is use some kind of variable recurring payment system (eg WorldPay's FuturePay, PayPal's automatic billing or Authorize.net's CIM service). These (and other similar services) allow for variable payments (although WorldPay/PayPal seem to be setup for recurring payments rather than one offs).
There also appears to be the option to use a company like http://www.braintreepayments.com/credit-card-storage to store the information. I would be most grateful if anyone could confirm how you generally go about dealing with this situation and whether you use the options i list above or if there's any better/more suited alternatives?
Source: (StackOverflow)
So I know there have been numerous posts about storing credit card information. We are building a mobile application and want people to be able to enter in their card information once, not with each purchase.
We looked at Authorize.net CIM, and it appears to be an ideal solution (we just store a profile ID or Token that returns the credit card number)... but it might fall short of our needs, since the credit card information isn't processed (necessarily) by authorize.net but by whatever merchant account we are sending the payment too. In other words we want to store the credit card information like a wallet... not necessarily process with Authorize.net every time.
Reading the CIM XML documentation (p.94), it looks like the getCustomerPaymentProfileResponse masks the credit card return data... so I don't see how that would be useful for processing if the data is masked?
We do have some other options for implementation but I was really hoping to have a web-based way for customers to manage their payment accounts. Does anyone know of any ways to store credit card data that can be called on demand to be passed to any given merchant's processor?
EDIT 4.28.2011 - I'm hitting a wall with this. What if we don't store the credit card information at all, have customers enter it and then pass it... how do we do that securely? No storing it, pass along HTTPS, encrypt card data while in transit?
Source: (StackOverflow)
I'm considering using eWay as payment gateway. They offer two options. One is to to allow users to type in credit card data on eWay hosted website, the other to use my own form and send credit card data via my server to eWays backend. The second option (their page with details) seem more appropriate for me as user would never leave my site and branding would be maintained.
Now, I spoke to support and they said that my site will be PCI compliant as long as I use SSL. So basically I can allow users to provide CC numbers on my site and send it to eWays backend via XML. As long as I don't store sensitive data, but transfer only it is ok. Until now I thought as long as CC data hits my server my site needs to be PCI compliant but now I'm not sure. If someone could explain to me how it really is that would be much appreciated.
Source: (StackOverflow)