Re: X-Cart and PCI-DSS / PA-DSS compliance
I may be reading too much into the compliance requirements. My understanding is that, regardless of whether the stored data is encrypted or not, both numbers should not be stored together. The CVV should not be stored at all.
The idea is to use it live on demand. I mean, there should be no storage prior to authorization. Just use the number and the CVV to get the authorization, discard the cvv and optionally store the main# if the shop has the capacity to safeguard it and strongly encrypted. There is no need to ever store the cvv, it should be treated like the second part of a two factor authentication.
If both the cvv and main# are stored encrypted together prior to authorization, an attacker can steal the storage and apply brute force. And it'll be worth it because, for a big merchant, the reward is that the cracked storage will yield millions of complete cvv, main# pairs ready to use.
|