是否所有源代码都需要符合 PCI 标准?
我们过去从未传输、处理或存储信用卡信息,因为我们通过 PayPal 完成所有操作,因此我们从来不需要遵守 PCI 合规性。
然而,我们正在推出一家新的在线商店,并且通过无缝结账处理信用卡信息而无需重定向到 PayPal,我们现在需要 PCI 合规性。
我们将咨询合格的安全评估公司来指导我们获得和维护 PCI 合规性。然而,在咨询他们之前,在他们试图向您推销房屋中您可能不需要的所有服务之前,我想对我正在寻找的东西有一个很好的了解。
在PCI合规性方面,我理解需要在软件和硬件层面上做好,并满足12分+的要求。我们将选择 Magento Professional,因为它具有符合 PCI 的支付系统,并且我们将选择符合 PCI 的网络托管公司(专用服务器)。但就软件而言,您是否需要一切都符合 PCI 标准?或者只是传输、存储和处理信用卡信息的软件?
例如,根据 Magento 的说法,支付软件符合 PCI 标准,而 Magento 平台则不符合。因此,您可以对 Magento 进行更改、修改和自定义,而不会影响支付软件的 PCI 合规性。
换句话说,我问的是,您只需要处理传输、处理和存储信用卡信息的源代码/软件符合 PCI 标准吗?这些“合格的安全评估公司”给人的印象是所有源代码都需要检查 PCI 合规性,这是不可能的!
例如,对于 Magento,我可以对其进行更改和修改并仍然保持 PCI 合规性吗?只要支付模块不受影响,因为它符合 PCI 标准并且网络托管、服务器和操作系统也符合 PCI 标准?
我的意思是,不处理信用卡的 php、javascript、mysql 东西不需要兼容,不是吗?当然,它们将位于同一服务器上。
We have never transmitted, processed or stored credit card information in the past as we did everything via PayPal so we never needed to be PCI compliant.
However, we are launching a new online store and by having a seamless checkout where credit card information in processed without redirected to PayPal, we need PCI compliance now.
We are going to consult a Qualified Security Assessor Company to guide us through getting and maintaining PCI compliance. However, I wanted to get a decent idea of what i'm looking at before consulting them, before they try to sell you every service in the house that you may not need.
In terms of PCI compliance, I understand it needs to be done on the software and hardware level and meet the 12 points + required. We are going with Magento Professional as it has a PCI compliant payment system, and we are going with a PCI compliant web hosting company (dedicated server). But in terms of software, do you need PCI compliance on EVERYTHING? Or just the software that transmits, store and processes credit card information?
For example, according to Magento, the Payment Software is PCI compliant, while the Magento Platform is not. So this allows you to make changes, modifications and customisations to Magento without affecting the PCI compliance of the payment software.
In other words, i'm asking, do you only need PCI compliance on the source code/software that deals with transmitting, processing and storing credit card information? These 'Qualified Security Assessor Companies' give the impression that all source code needs to be checked for PCI compliance, which is impossible!
For example, in the case of Magento, can I make changes and modifications to it and still remain PCI compliant? So long as the payment module is untouched since it is PCI compliant and the web hosting, server and OS is PCI compliant?
I mean the php, javascript, mysql stuff that does not deal with credit cards don't need to be compliant do they? they will be on the same server of course.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
基本的答案是,这取决于情况。一般来说,只有处理(或可以处理)PCI 敏感和受保护数据的源代码才需要符合 PCI 标准。但是,这意味着如果代码的其他区域可以访问安全区域,那么您也需要那里的安全性。例如,如果应用程序的另一个区域容易受到 SQL 注入的攻击,则可能会损害您的信用卡系统。这就是为什么有些人会倾向于所有软件都符合 PCI 标准。必须确保编写得不好的软件可能会被利用来危及数据的安全。
我说这取决于情况,因为检查人员总是有一些解释的空间。不过,好消息是,在所有标准中,PCI 似乎是最直接、最具体地规定了您需要做什么和不能做什么。以下是有关 PCI 直接规定的更多信息:
https://www.pcisecuritystandards.org/documents/infosupp_6_6_applicationfirewalls_codereviews .pdf
这里的基本问题是确保该网站不会在任何地方被利用。如果您在应用程序区域(信用卡数据与普通网站)之间建立了足够的“防火墙”,那么这将大大有助于表明您只需要扫描一些代码。此外,正如上述文档所述,您不必为了符合 PCI 要求而进行源代码审查。但是,您的应用程序需要进行广泛的测试,以确保其免受典型漏洞的影响。
The basic answer is that it depends. In general, only the source code that deals (or can deal) with the sensitive and protected data of PCI needs to be PCI compliant. However, this means that if other areas of your code have access into the secure areas, you need security there as well. If another area of your application were to be vulnerable to SQL injection, for instance, it might compromise your credit card systems. That is why some people will lean towards PCI compliance for all software. There has to be some assurance that a poorly-written piece of software can be exploited to compromise the safety of the data.
I say it depends because there is always some room for interpretation by those doing the inspection. However, the good news is that of all the standards, PCI seems to be the most direct and specific about what you need to do and what you cannot do. Here is more information about what PCI says directly:
https://www.pcisecuritystandards.org/documents/infosupp_6_6_applicationfirewalls_codereviews.pdf
The basic issue here is to be sure that the site cannot be exploited anywhere. If you develop sufficient "firewalls" between your application areas (credit card data versus normal website), it will go a long way towards showing that you only need to scan some code. Also, as the above document states, you don't have to do a source code review in order to be PCI compliant. However, your application needs to be extensively tested to be sure it is safe from typical vulnerabilities.
我无法谈论 PCI 合规性的法律细节,但如果我是您系统的审计员,如果任何非认证代码以与运行认证代码相同的用户 ID 运行,我会大声抱怨。
我还会仔细查看系统上有哪些 setuid/setgid 可执行文件,哪些以
root身份运行,或者以提升的capability(7)运行,这些可能会影响 PCI 合规性软件,我可能需要强制访问控制工具,例如AppArmor, SElinux、TOMOYO 或 SMACK,以及防止不受信任的执行域篡改服务器的 PCI 兼容部分的适当配置。I can't speak to the legal details of PCI compliance, but if I were an auditor of your system I would squawk very loudly if any non-certified code runs as the same userid that runs the certified code.
I'd also look pretty closely at what setuid/setgid executables are on the system, what runs as
rootor with elevatedcapabilities(7)that could influence the PCI-compliant software, and I'd probably demand mandatory access control tools such as AppArmor, SElinux, TOMOYO, or SMACK, and an appropriate configuration that prevents tampering with the PCI-compliant portions of the server by untrusted execution domains.