|
|
|
|
|
|
by MichaelGG
4187 days ago
|
|
|
Been a while since I read PCI DSS but if the PAN isn't there, does it specify you have to protect that information? Also, if they don't actually have the PAN touch their servers (like, using a BrainTree or Stripe-like solution), PCI compliance is quite minimal. Even PCI DSS 3.0 is trivial to deal with using Stripe (they just insert an iframe so the CC info goes directly to their site). Of course, yeah, they don't deserve the benefit of the doubt here. Given such a terrible API they probably are a mess inside, too. |
|
|
Given the mess it looks like on the front, I would bet PAN's are stored in clear text too!