You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "chris snow (JIRA)" <ji...@apache.org> on 2009/10/07 10:10:31 UTC
[jira] Created: (OFBIZ-3007) sensitive credit card data is not
encrypted
sensitive credit card data is not encrypted
-------------------------------------------
Key: OFBIZ-3007
URL: https://issues.apache.org/jira/browse/OFBIZ-3007
Project: OFBiz
Issue Type: Bug
Components: accounting
Affects Versions: SVN trunk
Reporter: chris snow
I've only had a quick look at the Payment Card Industry standards, but I think the following fields should be encrypted in the ofbiz CreditCard entity:
Cardholder name
Valid from and Expiration date
Issue Number
[https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3007) sensitive credit card data is not
encrypted
Posted by "Chris Snow (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12762982#action_12762982 ]
Chris Snow commented on OFBIZ-3007:
-----------------------------------
Thanks for giving more information. Why comply only with the minimum
requirement when it would be easy to encrypt the other sensitive data?
The guidelines state "These data elements must be protected if stored in
conjunction with the PAN":
Cardholder Name
Service Code
Expiration Date
Have I misinterpreted the PCI document?
> sensitive credit card data is not encrypted
> -------------------------------------------
>
> Key: OFBIZ-3007
> URL: https://issues.apache.org/jira/browse/OFBIZ-3007
> Project: OFBiz
> Issue Type: Bug
> Components: accounting
> Affects Versions: SVN trunk
> Reporter: chris snow
>
> I've only had a quick look at the Payment Card Industry standards, but I think the following fields should be encrypted in the ofbiz CreditCard entity:
> Cardholder name
> Valid from and Expiration date
> Issue Number
> [https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3007) sensitive credit card data is not
encrypted
Posted by "chris snow (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12762991#action_12762991 ]
chris snow commented on OFBIZ-3007:
-----------------------------------
Thanks for clarifying Scott.
> sensitive credit card data is not encrypted
> -------------------------------------------
>
> Key: OFBIZ-3007
> URL: https://issues.apache.org/jira/browse/OFBIZ-3007
> Project: OFBiz
> Issue Type: Bug
> Components: accounting
> Affects Versions: SVN trunk
> Reporter: chris snow
>
> I've only had a quick look at the Payment Card Industry standards, but I think the following fields should be encrypted in the ofbiz CreditCard entity:
> Cardholder name
> Valid from and Expiration date
> Issue Number
> [https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3007) sensitive credit card data is not
encrypted
Posted by "Scott Gray (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12762972#action_12762972 ]
Scott Gray commented on OFBIZ-3007:
-----------------------------------
PCI DSS Requirement 3.4 requires only the PAN (at a minimum) is rendered unreadable.
> sensitive credit card data is not encrypted
> -------------------------------------------
>
> Key: OFBIZ-3007
> URL: https://issues.apache.org/jira/browse/OFBIZ-3007
> Project: OFBiz
> Issue Type: Bug
> Components: accounting
> Affects Versions: SVN trunk
> Reporter: chris snow
>
> I've only had a quick look at the Payment Card Industry standards, but I think the following fields should be encrypted in the ofbiz CreditCard entity:
> Cardholder name
> Valid from and Expiration date
> Issue Number
> [https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3007) sensitive credit card data is not
encrypted
Posted by "chris snow (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12762965#action_12762965 ]
chris snow commented on OFBIZ-3007:
-----------------------------------
Hi Scott, can you please elaborate on your comment. Do you feel that
ofbiz meets the PCI standard?
--
> sensitive credit card data is not encrypted
> -------------------------------------------
>
> Key: OFBIZ-3007
> URL: https://issues.apache.org/jira/browse/OFBIZ-3007
> Project: OFBiz
> Issue Type: Bug
> Components: accounting
> Affects Versions: SVN trunk
> Reporter: chris snow
>
> I've only had a quick look at the Payment Card Industry standards, but I think the following fields should be encrypted in the ofbiz CreditCard entity:
> Cardholder name
> Valid from and Expiration date
> Issue Number
> [https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (OFBIZ-3007) sensitive credit card data is not
encrypted
Posted by "Scott Gray (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3007?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Scott Gray closed OFBIZ-3007.
-----------------------------
Resolution: Invalid
I would suggest a longer look
> sensitive credit card data is not encrypted
> -------------------------------------------
>
> Key: OFBIZ-3007
> URL: https://issues.apache.org/jira/browse/OFBIZ-3007
> Project: OFBiz
> Issue Type: Bug
> Components: accounting
> Affects Versions: SVN trunk
> Reporter: chris snow
>
> I've only had a quick look at the Payment Card Industry standards, but I think the following fields should be encrypted in the ofbiz CreditCard entity:
> Cardholder name
> Valid from and Expiration date
> Issue Number
> [https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3007) sensitive credit card data is not
encrypted
Posted by "chris snow (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12762966#action_12762966 ]
chris snow commented on OFBIZ-3007:
-----------------------------------
Hi Scott, can you please elaborate on your comment. Do you feel that ofbiz meets the PCI standard?
> sensitive credit card data is not encrypted
> -------------------------------------------
>
> Key: OFBIZ-3007
> URL: https://issues.apache.org/jira/browse/OFBIZ-3007
> Project: OFBiz
> Issue Type: Bug
> Components: accounting
> Affects Versions: SVN trunk
> Reporter: chris snow
>
> I've only had a quick look at the Payment Card Industry standards, but I think the following fields should be encrypted in the ofbiz CreditCard entity:
> Cardholder name
> Valid from and Expiration date
> Issue Number
> [https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3007) sensitive credit card data is not
encrypted
Posted by "Scott Gray (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12762985#action_12762985 ]
Scott Gray commented on OFBIZ-3007:
-----------------------------------
{quote}
Thanks for giving more information. Why comply only with the minimum
requirement when it would be easy to encrypt the other sensitive data?
{quote}
I have no opinion on that one way or the other, you could raise an improvement jira issue but it certainly isn't a bug.
{quote}
The guidelines state "These data elements must be protected if stored in
conjunction with the PAN":
Cardholder Name
Service Code
Expiration Date
Have I misinterpreted the PCI document?
{quote}
You're missing the second sentence from the document:
"This protection should be per PCI DSS requirements for general protection of
the cardholder data environment."
You're confusing general protection with encryption.
> sensitive credit card data is not encrypted
> -------------------------------------------
>
> Key: OFBIZ-3007
> URL: https://issues.apache.org/jira/browse/OFBIZ-3007
> Project: OFBiz
> Issue Type: Bug
> Components: accounting
> Affects Versions: SVN trunk
> Reporter: chris snow
>
> I've only had a quick look at the Payment Card Industry standards, but I think the following fields should be encrypted in the ofbiz CreditCard entity:
> Cardholder name
> Valid from and Expiration date
> Issue Number
> [https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.