PCI Compliance

"The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements. "

"Founded by five global payment brands -- American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. -- who have agreed to incorporate the PCI DSS as the technical requirements of each of their data security compliance programs. "

More  here


Important rules:
"If you are a merchant that accepts payment cards, you are required to be compliant with the PCI Data Security Standard."
"The standards apply to all organizations that store, process or transmit cardholder data – with guidance for software developers and manufacturers of applications and devices used in those transactions."

The keystone is the PCI Data Security Standard (PCI DSS), which provides an actionable framework for developing a robust payment card data security process -- including prevention, detection and appropriate reaction to security incidents.
Very useful PCI DSS quick reference.

Some notes:

  • The goal is to protect cardholder data from thieves
  • definiton of PAN – the primary account number printed on the front of a payment card (card #)
  • In general, no cardholder data should ever be stored unless it’s necessary to meet the needs of the business
  • You can store it if required but be sure its really necessary. If stored PAN must be unreadable but Cardholder Name, Exp dt and Code do not have to be unreadable.
  • Card numbers should not be displayed (screen, logs, etc) but can be shown masked, "the first six and last four digits are the maximum number of digits you may display".More. Similar restrictions exist for other card data such as name, exp and cvv. 
  • Chip information or magnetic strip data cannot be stored.
  • Card information transferred must be protected (e.g. ssl encrypted).
  • Billing and shipping address and other Account information such as personal profile are not subject to the standard (but should sent over ssl)
  • best practice: on web page set autocomplete="off" on html elements for payment card information.

All Fluid clients expect PCI compliance. One of the best ways to adhere to the standard is to ensure that Credit Card information is not stored on the Clients servers or even transmitted to the clients servers.  If Payment info is transmitted it must be over ssl.

Merchants are classified into different levels and each level requires meeting certain PCI requirements. All levels require a periodic network scan by an outside party.

 This is a good guide

Comments

Post a Comment

Popular posts from this blog

deep dive into Material UI TextField built by mui

Image
The Material Design system is a design system used to create consistent digital experiences across platforms such as android, web and ios. Includes: a color system a typography system a shape system a grid system it addresses motion and lots more Also includes Material Theming which makes it easy to customize Material Design to match your brand. Material Design is not just a set of guidelines it is a whole ecosystem. Material itself stopped maintaining it's react implementation and recommends opensource versions.  A very popular open source implementation is  MUI ,  a react component library  built to implement Material Design . Bills itself as the "worlds most popular React UI framework" and at this time has 1.2M weekly downloads on npm and used by over 750k projects on github (did I mention it's very popular?).  Note: there are other react component libraries implementing bootstrap and ant design for example, so up to you and your design team on what you choose. 
Read more

angular js protractor e2e cheatsheet

Many from the protractor test suite category detailed task syntax example load page load a page browser.get('yoururl') browser btn actions browser back/forward browser.navigate().back() OR browser.navigate().forward() access elements on page See Protractor API list and examples from Protractors test suite access by angular ngmodel name (must match ngmodel in the html) this is the preferred approach element(by.model('person.name')); access by the css id on the page e.g, #user_name (but this can be brittle) element(by.id('user_name')) access angular binding to get generated value i.e. for {{}} element(by.binding('person.concatName')); access angular repeat list data (must match repeat stmt in the html) See Protractor test suit l
Read more

react-router v6.4+ loaders, actions, forms and more

react-router  react-router is used for in app single page app navigation, we configure routes for pages in the app to map to components react-router has over 1bn downloads, its an industry standard (but there are others e.g. Nextjs router) many apps use react-router, many on v5.x the new react-router 6.4.x the newest major version of react router v6.4 is a significant enhancement which adds a lot of new features. react-router v6.4 offers new features to load data (loaders) and handle actions (actions).  It's done gone all Remix-y which makes sense because the same guys wrote both. eliminates a lot of boilerplate code to fetch data in useEffect() and set various loading states put your data load and update logic in react-route components instead of custom code unlike Remix, react-router v6.4 is still just all on the client (not server like Remix) paradigm shifts Lets start with a couple of high level ideas; "back to the future" so to speak OR "what's old is new ag
Read more