Hacker News new | ask | show | jobs
by IgorPartola 5561 days ago
Is that true though? If you have XSS vulnerabilities on your website, someone can lift the CC info right from the form before posting of any data happens. I am not sure whether PCI talks about this but I sure would be worried about this.
2 comments
ntalbott 5560 days ago
We (at Spreedly) have talked to several QSA's about this question, and their take is that using a redirect removes the application from PCI scope. It's a really good illustration of how PCI != security.
link
techiferous 5560 days ago
I don't know if it's true. That's a great point that you raise. It'd be nice for a PCI expert to weigh in. :)
link