Hi Everyone,
I have been heavily involved with one of our clients with regards to PCI compliance. Together we are working towards PCI compliance which as everyone will know is a requirement (not an option) laid out by Mastercard and Visa if you want to process credit cards. The penalties for non compliance are huge (in the region of $10,000 a day) so this needs to be looked at.
If you are storing card numbers within MOM then you are certainly not PCI complaint. I hope this thread can be used to discuss where we think MOM is lacking to allow us all to become compliant in the future. The fines for non complaince are huge so we all need to get up to speed.
The VISA site is the best resource for information. This PDF gives a breakdown of all the sections and requirements.
There are two main areas I can see where MOM is lacking.
Requirement 10: Track and Monitor all Access to Network Resources and Card Holder Data.
In summary this means MOM should create log files of any access to card holder information. The PDF describes the minimum data that needs to be stored. MOM currently does not do this.
Requirement 3: Protect Stored Data
If you import orders into your system there is a period of time between creation and importing that card numbers are stored unencrypted. Really this is unacceptable. I believe MOM should have the option to accept encrypted orders.
I'd love to hear everyone else's thoughts on this.
Regards,
Dan.
bowett
Member Since 11 Aug 2005Offline Last Active May 23 2007 01:58 AM