Quote:
|
Originally Posted by cautious
On the original issue: There is no need to encrypt software for PCI-DSS compliance - unless there is a hidden agenda to make difficult user mods and 3rd party mods.
|
That is correct. I don't know where vendors get the idea they need to do this. Its not very friendly to those of us who bought the software because they get the source code and can modify it.
Quote:
|
Originally Posted by cautious
Regardless of whether or not the underlying software is obfuscated, if you save a customer's credit card # and the CVV/CVV2 then you're not compliant. I have read policies that claim security and therefore compliance because they claim to delete these data after 30 days from their database.
|
No, storing card numbers is allowed by both PCI-DSS and PA-DSS and storing CVV/CVV2 is allowed PRIOR TO AUTHORIZATION only. Any card data must be stored encrypted using strong key management and once the card is authorized CVV/CVV2 must be deleted using a secure deletion method (e.g. multiple overwrites). There are a lot more hoops to jump through if you choose to store card numbers. I wouldn't recommend any small merchant store card numbers as meeting the requirements is a significant undertaking.