No subject

Fri May 28 07:59:14 UTC 2010

number/CVV which are classed as 'Sensitive Cardholder Data') then you
need to ensure that any transmission and storage of this information
is done with encryption, and that the CVV is not kept beyond the point
at which the transaction is completed.

Interestingly enough, PCI-DSS actually says that you are not to store
the CVV under any circumstances. This however would make it impossible
to process a 3DS transaction. Visa/MC clarification on this point is
that you can hold it while the transaction is being processed only.
This will be written into the new PCI-DSS SAQ which will be available
this October, and will come into effect next October.

Specific things to look for with IC are sensitive data in
logging/debug logs, and the storage of orders in text files.

Where you use PGP encryption to encrypt and the process manually there
is a bit more to deal with, particularly in deleting stored CVVs.

As far as the hosting goes, I assume you have a web-application
firewall, up to date anti-virus (even on Linux boxes), file integrity
checking, remote syslogging, server access logging, and perform
regular scanning from behind the firewall, particularly after system
changes. Oh, and perform daily security checks, and conduct a
penetration test on the server at least once a year..

PCI compliance involves you reading, completing, signing and often
returning the Self-Assessment Questionnaire. And its big..

Have fun!


Jonathan Clark, Chief Executive
Setfire Media, Cartridge SAVE, Axiar Payment Solutions
0844 576 5515 / jonathan.clark at

More information about the interchange-users mailing list