Jeff wrote: > > > That is unequivocally wrong. As I said, that was my understanding and it was so when the mandate was first released, but I assume that it was phased out in one of the steps to full PCI/DSS or maybe it is different for web facing models? I'll ask my compliance rep next time I speak with him. Thanks for the heads up.
> However, depending what you're doing there are different levels of > Compliance. Since you are storing credit cards; I thought you get bumped > up to the highest level of compliance. > > DotComIt ( Flextras ) does a self assessment questionnaire and a > quarterly web site scan to remain compliant. We store no CC info. > > PCI Compliance issues also directed some of our development decisions. > For example, credit card info is never displayed to the screen even in > receipts. When in memory, it encrypted; I believe using a session > specific key. When a purchase is complete the CC info is deleted from > memory, thus minimizing the amount of time our server touches the CC info. > I write point of sale software and with the exception of documentation issues and other issues unrelated to the software itself, it has been functionally compliant well before the mandate was released. That has made our own compliance process easier. Frankly, I could never understand why a developer writing any application like that would not do the minimum steps to secure data. -- Warm Regards, Lee