此设置符合 PCI 标准吗?
我一直在与一位拒绝采用 PCI 标准的客户争论。我想与社区核实,以确保我的反对意见是正确的。
问题:有没有办法将信用卡信息存储在共享托管服务器上并且符合 PCI 标准?
设置如下:
1) SSL 正在为整个结帐流程和客户端站点的管理部分实施。
2) 信用卡信息存储在服务器(共享托管计划)的 MYSQL 数据库中。它是加密的。
3) 客户访问受密码保护的管理面板并从其网站打印信用卡。
4) 然后客户端通过终端手动运行信用卡信息并从服务器删除该信用卡信息。
I've been debating with a client who refuses to adopt PCI standards. I want to check with the community to make sure I'm correct in my objections.
Question: Is there a way to store credit card information on a shared hosting server AND be PCI compliant?
Here is the setup:
1) SSL is being implemented for the whole checkout process and for the client's site's admin section.
2) The credit card information is being stored on the server (a shared hosting plan) in a MYSQL database. It is encrypted.
3) The client accesses a password protected admin panel and prints the credit card from her website.
4) The client then manually runs the credit card info through a terminal and deletes this credit card info from the server.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
不,不是。
通读 https://www.pcisecuritystandards.org/documents/Prioritized_Approach_V2.0.pdf - 这是 PCI DSS 内容的一个很好的指南。
就我个人而言,我认为第 5-10 节不太可能发生在这里。
No it is not.
Have a read through https://www.pcisecuritystandards.org/documents/Prioritized_Approach_V2.0.pdf - this is a good guide to PCI DSS stuff.
Personally, I'd say sections 5-10 are unlikely to be happening here.
有时,作为开发人员,我们必须引导客户采用最佳实践,即使他们抵制。目前这种存储加密数据的做法听起来风险极大。如果您的客户被发现违规,光是罚款就可能毁掉他们的生意,而且也可能会反过来困扰您。这个网站上有一些很好的信息:
https://www.owasp.org/index.php/Handling_E-Commerce_Payments
许多商家帐户对于小型企业来说非常实惠。您应该考虑让您的客户端使用 Authorize.net 或类似的网关进行设置。设置购物车/结帐流程具有一定的挑战性,但如果您能够设置像您所描述的那样的系统,我相信您可以在一周左右的时间内弄清楚。
祝你好运!
Sometimes as developers we have to guide clients toward best practices, even when they resist. This current practice of storing encrypted data sounds extremely risky. If your client is found to be in violation, the fines alone could destroy their business, and it could come back to haunt you, as well. There is some good info on this site:
https://www.owasp.org/index.php/Handling_E-Commerce_Payments
Many merchant accounts are very affordable for small businesses. You should look into having your client set up with Authorize.net or a similar gateway. Setting up a cart/checkout process is moderately challenging, but if you were able to set up a system like you've described I'm sure you could figure it out within a week or so.
Good luck!
可以使用共享托管提供商并符合 PCI 标准。如果您是(或正在使用)共享托管提供商,PCI 标准包括必须实施的附加控制措施。
额外的控制包括分离不同客户端之间的进程、控制另一个客户端对一个客户端数据的访问、控制对审核日志的访问等的能力。
然而,如果您决定走这条路……祝您好运!
It is possible to use a shared hosting provider and be PCI compliant. The PCI standard includes additional controls that must be in place if you are (or are using) a shared hosting provider.
The extra controls include the ability to separate processess between the different clients, control access of one client's data by another client, control access to audit logs and others.
However, if you decide to go down this route... good luck!
看一下 MaximumASP 的 maxesp 云产品: http://www.maximumasp.com/products/ cloudhosting/default.aspx
他们声称其共享托管云计划的网络层和数据层“完全符合 PCI 标准”。如果没有相反的证据,您的问题的答案似乎是“是”假设 MaximumASP 的声明有效。我对 PCI 的细节不太熟悉,无法反驳他们,但如果其他人可以反驳这一说法,我会非常感兴趣。
Take a look at MaximumASP's maxesp cloud offering: http://www.maximumasp.com/products/cloudhosting/default.aspx
They claim to be "completely PCI compliant" for both web and data tiers on their shared hosting cloud plan. Short of evidence to the contrary, the answer to your question appears to be "yes" assuming MaximumASP's claim is valid. I'm not familiar enough with the details of PCI to argue against them but I'd be very interested if anyone else can refute the claim.