[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Hardcoded Keys
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Hardcoded Keys
- From: "Gary E. Miller" <gem@xxxxxxxxxx>
- Date: Thu, 4 Sep 2008 15:38:29 -0700 (PDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yo All!
> I believe it almost never happens. As I understand the card association
> rules, the merchant has to hang on to the data for refund purposes.
Nope, all you need to generate a refund is the original transaction ID. At
least with the processors I use.
You can get the PCI requirements here:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
You are allowed to store the Card number, name and expiration date.
Appendix B allows you to store that unencrypted.
You are not allowed to store the mag stripe, CVC2 or PIN.
RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701
gem@xxxxxxxxxx Tel:+1(541)382-8588
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFIwGNoBmnRqz71OvMRAvHmAKCepmVQ4F5fOWdxU5VOD9gTMYW3rACcCWfe
Fv3+09X/t92G6Du76Z9Bocs=
=YoK0
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/