TLS secure enough? Need rolling hash in a PA-DSS payment application?

StackOverflow https://stackoverflow.com/questions/5327443

Question

I’m a software engineer and I’m currently working on another payment application (my 3rd one) that must go under PCI PA-DSS compliance. I’m re-examining the PA-DSS documentation and I’m wondering if in the past I overworked on the security of the application, when I could’ve go by with TLS and user/pass. So, my questions are, when implementing a PA-DSS secure application:

  1. For Authentication and Communication security is it enough to have TLS + user/pass?

  2. What part(s) of the PA-DSS standard justifies the need of implementing message hashing and rolling hash between web methods calls? TLS implements reliable messages, but not rolling hashes and persistent callers between messages. Will implementing a rolling hash make any difference (from the PA-DSS stand point)?

  3. If a payment processing application stores PII information and serves different companies (meaning that Company A and Company B can have accounts in such application), there is no specific requirement that states the PII information cannot be stored in the same DB, but in the past, PA-QSAs have insisted in this being an issue. The question is: Is this truly necessary? I cannot think Authorize.NET, a company with thousands of clients and processors have different databases to store the credit cards processed through each of its client companies.

Thanks in advance!

Update #1:

  • Assume all pages and web services, both in DMZ and Secure Zone will have HTTPS for all the communication channels, pages and services.

  • On #3, the question is not about the location or security of the storage of sensitive information. The question is more geared to question the ability of sharing sensitive information from different sources (clients, such as AT&T and Verizon for example) in the same database.

Was it helpful?

Solution

There are a few issues here.

1) Using TLS for just the username+password is still a vulnerability. Its a violation of owasp a9 and its trivial to hijack any account on your system using a firehseep style attack.

I know the PA-DSS 2.0 doesn't embody the entire owasp top 10, but requirement 12.1 should be noted:

12.1 Instruct customers to encrypt all non-console administrative access with strong cryptography, using technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.

Which would include an administrative http interface.

2) The PA-DSS recommendeds using real transport layer security such as: VPNs, and TLS/SSL. I don't believe there is a requirement for rolling hashes, and to be honest this isn't a very secure design. Such traffic needs full transport layer protection.

3) Don't forget about requirement 9:

9. Cardholder data must never be stored on a server connected to the Internet

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top