View Single Post
  #275  
Old 07-14-2010, 04:24 PM
  Ene's Avatar 
Ene Ene is offline
 

X-Cart team
  
Join Date: Aug 2004
Posts: 907
 

Default Re: X-Payments 1.0 beta5 announcement

Quote:
How about just eliminating the PIN codes? I haven't run into a gateway yet that requires two factor authentication so why does X-Payments? Don't tell me its because PCI-DSS requires two factor authentication. That's only for remote network level access (VPN) to the cardholder data environment not application level access.

You refer to PCI-DSS, however we should check PA-DSS.

https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf

It says that:

Quote:
PA-DSS Requirements
11. Facilitate secure remote access to payment application


11.2 If the payment application may be accessed
remotely, remote access to the payment
application must be authenticated using a twofactor authentication mechanism

Testing Procedures
11.2 If the payment application may be accessed remotely,
examine PA-DSS Implementation Guide prepared by the
software vendor, and verify it contains instructions for
customers and resellers/integrators regarding required use of
two-factor authentication (user ID and password and an
additional authentication item such as a smart card, token, or
PIN).

When you log in to your application, do you access it remotely? Yes.
That's why we need two-factor authentication, i.e. PIN codes.


Quote:
Then there's the fact that XPayments requires a username, password and PIN code just to log in - the pin codes expire and change every time one logs in, so that means you now need to store PIN codes somewhere - which seems to reduce security, not enhance it.

No.
__________________
Eugene Kaznacheev,
Evangelist/Product Manager at Ecwid: http://www.ecwid.com/ (since Sept 2009)

ex-Head of X-Cart Tech Support Department
ex- X-Cart Hosting Manager - X-Cart hosting
ex-X-Cart Technical Support Engineer


Note: For the official guaranteed tech support services please turn to the Customers HelpDesk.