security - TLS secure enough? Need rolling hash in a PA-DSS payment application? -


Come, software engineer and I'm currently working on a second payment application (my third) this PCI PA -DSS should go under compliance IAC re-examined the PA-DSS documentation and I feel that if I was working on the protection of the application in the past, then when I have passed TLS and user / pass. Therefore, my questions are, when a PA-DSS implements a secure application:

  1. Is TLS + User / Pass enough for authentication and communication security?

  2. Which part of the PA-DSS standard (s) justifies the need to implement message hashing and rolling hash between web methods calls? TLS implements reliable messages, but there is no healing and persistent callers between messages, there will be a difference in implementing rolling hash (from PA-DSS stand point)?

  3. If the payment processing application stores the information of PII and works for different companies (which means that company A and Company B are in the account ), Then there is no specific requirement in it. PI information can not be stored in the same DB, but in the past, PA-QSA has emphasized this issue on this issue. The question is: Is this really necessary? I can not author .net, in a company with thousands of customers and processors, there are different databases to store the credit card processed through each of our client companies. Thanks in advance

    < Strong> Update # 1:

    • Assume all pages and web services, both DMZ and Secure Zone will have HTTPS for all communication channels, pages and services. At # 3, the question is not about the state of storage or security of sensitive information Li>

      Here are some issues.

      1) Only using TLS for username and password is still a vulnerability. A violation of it and its basilis are used to abduct any account on your system using the fire-type attack.

      I know that the PA-DSS 2.0 does not include the whole of the top 10 in the top 10, but should pay attention to the requirement 12.1 12.1 Web-based management For the use of technologies such as SSH, VPN, or SSL / TLS, instructing customers to encrypt all non-console administrative access with strong cryptography and other non-console administrative access

      which will include an administrative HTTP interface

      2) PA-DSS recommends using actual transport layer security such as: VPN and TLS / SSL . I do not believe there is a need to laugh, and honestly it is not a very safe design. This kind of traffic requires the protection of the full transport layer.

      3) Do not forget about the requirement 9:

      9. Cardholder data should never be stored on the Internet connected server

Comments

Post a Comment