19 November 2008

PCIDSS

Posts relating to the category tag "PCIDSS" are listed below.

19 November 2008

Get Data Protection Right from the Start

This week one of my friends is staying with me. She attended the launch of a new interior design web site yesterday and asked some pertinent questions during the demonstration.

During the walkthrough of the shopping cart and checkout, real credit card data belonging to the demonstrator's assistant were entered on the projection screen in front of a large audience including journalists. My friend pointed this out, but too late - they had to continue. Demos should always try to use appropriate test data whenever possible - in this case it's likely the site, or a copy in a test environment, could have been set up to use test card data - so-called "magic numbers" - with a test merchant account provided by the payment gateway provider.

The web site can act as a store front for individual designers, such as my friend, and she asked where the customers were opting in for the use of their personal data, and who had access to it - the site operator or the end supplier (designer). This seems a very valid question. Apparently that hadn't been looked at yet.

Even the "best" projects seem to have a lack of data protection forethought. In this case, it clearly wasn't a problem with the budget, but the planning and system design.

Posted on: 19 November 2008 at 08:48 hrs

Comments Comments (0) | Permalink | Send Send 

10 October 2008

Plain FTP and PCIDSS

In my post earlier this week on Server Login Protection, I mentioned how file transfer protocol (FTP) is commonly used, and should not be. A data breach this week hints that FTP was the method of access that lead to the data theft.

The Breach blog reported a breach involving Gloria Jean's Coffees' e-commerce site. Their privacy and security statement aludes to higher standards:

Security
Your purchases at gloriajeans.com are safe. Our site has security measures in place to protect the loss, misuse and alteration of information under our control. We make use of appropriate commercially available software to encrypt order information.

The notification letter to the New Hampshire Department of Justice in the United States (US) says the company:

Locked down File Transfer Protocol (FTP) to specific IP's and implemented SSL encryption to this service for our website

But the strange thing is that it is an e-commerce site and that some of the data stolen was credit card information - card number, name, address and card verification value (CVV), also known as the card security code (CSC) - obtained by modification of the application scripts on the web server. In other words, inbetween the encrypted transfer (using SSL) to the web server and before sending this by an encrypted method to the payment gateway.

Enforcement of the Payment Card Industry (PCI) Data Security Standard (DSS) is much further advanced in the US. So either the site wasn't compliant in which case large fines are winging their way towards Gloria Jean's Coffees Corp, or the auditors may have missed something important here.

See also the related Keeping Up-to-Date with Security Breaches.

Posted on: 10 October 2008 at 07:02 hrs

Comments Comments (0) | Permalink | Send Send 

PCIDSS : Web Security, Usability and Design
http://www.clerkendweller.com/pcidss

Page http://www.clerkendweller.com/pcidss
Requested by 38.103.63.60 on Wednesday, 7 January 2009 at 14:49 hrs (London date/time)

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2009 clerkendweller.com