|
|
|
|
|
|
by thwarted
4215 days ago
|
|
|
mentioning ways to make it more secure, including tokenization, logging of CC numbers in server logs, knowing if the data transits through your server or not depending on provider "logging of CC numbers in server logs" is an almost guaranteed way to make your setup not PCI compliant. The PCI industry as a whole is missing a lot of this kind of guidance, in general. There's no "here's the minimum you need to do to be PCI Level X compliant". The reason is that the industry considers every situation to be different (I doubt most are all that different or if they are, 90% of them can fit into a handful of buckets), and you're supposed to hire PCI auditors to come in and certify you. Another reason there are no minimum guidelines is that PCI seems to be more about awareness than actual specific architecture. You can sidestep certain things as long as you document them and what your mitigating implementation is. This leads to... Last time I went through a PCI setup, it was a unspoken spoken rule that if we hired an auditor that didn't certify us even though we thought we should be, we could hire a different auditor, and keep doing so until we got one we liked. |
|
|