-
Notifications
You must be signed in to change notification settings - Fork 16
/
pci_dss.theory.txt
34 lines (26 loc) · 2.95 KB
/
pci_dss.theory.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
PCI_DSS
REQUIRED BY ==> # - credit cards and banks to work with them
# - Stripe/PayPal/etc.
# - some customers (especially corporate) might require it
MAIN POINTS ==> #Collecting and sending security-sensitive info (personal info, payment method info)
# - must use HTTPS everywhere
# - firewall
#Storing it securely (encryption, monitoring, testing)
# - no default values for passwords
#Access control of it (including physical access)
LEVELS ==> #Different level of requirements:
# - level 4: <50 payments per day
# - level 3: <2500 payments per day
# - level 2: <15000 payments per day
# - level 1: >15000 payments per day, or had a data breach
VALIDATION ==> #SAQs every year: self-assessment questionnaires
# - different levels for simpler/more complex forms:
# - A: e-commerce fully using solution like Stripe (no storage / processing or security-sensitive info)
# - A-EP: same but website might impact security during payment
# - B, B-IP, C-VT, C, P2PE: offline (e.g. using terminal readers)
# - D: others
#ASV every 3 months: white-box security testing, performed by external vendors
# - if level 1, QSA instead: black-box on-site security testing
STRIPE/PAYPAL/ETC. ==> #They help dealing with this. See Stripe docs.