Comments on: Secure Your Application – PCI DSS Specifications http://www.simonwhatley.co.uk/secure-your-application-pci-dss-specifications The opposite of every great idea is another great idea Tue, 24 Jan 2012 10:54:00 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: David Cooke http://www.simonwhatley.co.uk/secure-your-application-pci-dss-specifications/comment-page-1#comment-404 David Cooke Tue, 02 Jun 2009 13:23:33 +0000 http://www.simonwhatley.co.uk/?p=1785#comment-404 Brilliant and very informative write up. Although we don't currently store any credit card data we are just about to undergo a pen test and are currently going though a process of re-evaluating all our applications and infrastructure so this post has come in very handy indeed. Just one note that in Application.cfc, scriptProtect should be set to "All", "None" or a comma delimited list of variable scopes. It's also an application wide setting and not a variable. Brilliant and very informative write up. Although we don’t currently store any credit card data we are just about to undergo a pen test and are currently going though a process of re-evaluating all our applications and infrastructure so this post has come in very handy indeed.

Just one note that in Application.cfc, scriptProtect should be set to “All”, “None” or a comma delimited list of variable scopes. It’s also an application wide setting and not a variable.

]]> By: Henry Ho http://www.simonwhatley.co.uk/secure-your-application-pci-dss-specifications/comment-page-1#comment-403 Henry Ho Mon, 26 Jan 2009 18:45:26 +0000 http://www.simonwhatley.co.uk/?p=1785#comment-403 Thank you very much for the comprehensive list. Have you had an CF app approved by PCI DSS before? Thank you very much for the comprehensive list.

Have you had an CF app approved by PCI DSS before?

]]> By: RyanTJ http://www.simonwhatley.co.uk/secure-your-application-pci-dss-specifications/comment-page-1#comment-402 RyanTJ Mon, 26 Jan 2009 15:06:53 +0000 http://www.simonwhatley.co.uk/?p=1785#comment-402 I'd also add: • Do not identify if a username or email address is already in use with out validating other fields first and using something like CAPTCA to prevent automated attacks. I’d also add: • Do not identify if a username or email address is already in use with out validating other fields first and using something like CAPTCA to prevent automated attacks.

]]> By: Simon http://www.simonwhatley.co.uk/secure-your-application-pci-dss-specifications/comment-page-1#comment-401 Simon Mon, 26 Jan 2009 13:11:38 +0000 http://www.simonwhatley.co.uk/?p=1785#comment-401 @glyn I would suggest that since your client is storing bank information, it is important that they hold it in a secure way. Implementing PCI DSS will certainly help, but they should refer to their bank for specific guidelines if they have any doubts. @glyn I would suggest that since your client is storing bank information, it is important that they hold it in a secure way. Implementing PCI DSS will certainly help, but they should refer to their bank for specific guidelines if they have any doubts.

]]> By: Glyn Jackson http://www.simonwhatley.co.uk/secure-your-application-pci-dss-specifications/comment-page-1#comment-400 Glyn Jackson Mon, 26 Jan 2009 12:59:52 +0000 http://www.simonwhatley.co.uk/?p=1785#comment-400 Thanks for this, very well written. I was just sending an email to a client on this subject. They are storing bank account information and not card details, does this mean they get away with not doing any of this? Thanks for this, very well written. I was just sending an email to a client on this subject. They are storing bank account information and not card details, does this mean they get away with not doing any of this?

]]>