Quote:
How about just eliminating the PIN codes? I haven't run into a gateway yet that requires two factor authentication so why does X-Payments? Don't tell me its because PCI-DSS requires two factor authentication. That's only for remote network level access (VPN) to the cardholder data environment not application level access.
|
You refer to PCI-DSS, however we should check PA-DSS.
https://www.pcisecuritystandards.org/pdfs/pci_pa_dss.pdf
It says that:
Quote:
PA-DSS Requirements
11. Facilitate secure remote access to payment application
11.2 If the payment application may be accessed
remotely, remote access to the payment
application must be authenticated using a twofactor authentication mechanism
Testing Procedures
11.2 If the payment application may be accessed remotely,
examine PA-DSS Implementation Guide prepared by the
software vendor, and verify it contains instructions for
customers and resellers/integrators regarding required use of
two-factor authentication (user ID and password and an
additional authentication item such as a smart card, token, or
PIN).
|
When you log in to your application, do you access it remotely? Yes.
That's why we need two-factor authentication, i.e. PIN codes.
Quote:
Then there's the fact that XPayments requires a username, password and PIN code just to log in - the pin codes expire and change every time one logs in, so that means you now need to store PIN codes somewhere - which seems to reduce security, not enhance it.
|
No.
__________________
Eugene Kaznacheev,
Evangelist/Product Manager at Ecwid:
http://www.ecwid.com/ (since Sept 2009)
ex-Head of X-Cart Tech Support Department
ex- X-Cart Hosting Manager -
X-Cart hosting
ex-X-Cart Technical Support Engineer
Note: For the official guaranteed tech support services please turn to the
Customers HelpDesk.