Justin, I don't think that would work though, depending on the level of compliance and the SAQ being completed I don't think any vendor will allow that exemption regardless of if credit card information is visible or not. If an attacker is allowed any access to a user session and can harvest any personally identifiable information it could affect security of any credit card entered into the site.
Best Regards, Donnie Bachan "Nitendo Vinces - By Striving You Shall Conquer" ====================================================================== The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. On Tue, Mar 6, 2012 at 2:41 PM, Justin Scott <leviat...@darktech.org> wrote: > > > Justin, thanks for the reply, and I get your point, but I can't break out > > the registration process into a standalone site quickly. There must be a > > fairly quick solution to this problem. Surely, I can't be the first to > > deal with this. > > Another option might be to ask your scanning vendor for an exception > to that scanning rule. If you can demonstrate to them that no credit > card information is accessible through the user's account (e.g. the > card number isn't visible anywhere, etc., and it really doesn't matter > if the session is hijacked from the standpoint of credit card > security) and explain the situation, they are generally willing to > work with you on this kind of thing. Remember, their scanning rules > are designed to cover the widest possible threat model. If you have > specific needs that don't fit into that model but have compensating > controls in place, it shouldn't be a problem (e.g. this used to be an > issue with the incremental session IDs which the scanners check for, > but paired with the random session token as a compensating control > they would always make an exception for this rule when asked). > > > -Justin Sco > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:350260 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
