Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

iDempiere compliance with PCI standards

Description

iDempiere is not compliant with security standards on credit card management.

Reading this document:
https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
In item 3.2.2 says that it is forbidden for anyone to store a CVV2 or CVC2 code. Encrypted or not.

"
3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-notpresent transactions

Ensure the CVC is not stored under any circumstance on:

  • Incoming transaction data

  • All logs (for example, transaction, history, debugging, error)

  • History files

  • Trace files

  • Several database schemas

  • Database contents
    "

Also, read that Visa, and most of the banks forbid saving CVC in the database as a security measure.

I would recommend a System Configurator parameter that disable saving data in the column C_Payment.CreditCardVV - this will imply reviewing the online credit card processor to manage such information temporarily.

Regards,

Carlos Ruiz

Environment

None

is blocked by

Activity

Show:

Carlos Ruiz December 12, 2012 at 8:14 PM

Paul Bowden August 16, 2011 at 10:02 AM

Hi,

You may be interested in http://adempiere.hg.sourceforge.net/hgweb/adempiere/contribution_adaxa/rev/390aa8a0a918 as a starting point – just blanks out CVC and obscures part of the CC number once a payment is processed.

Obviously PCI demands more but this at least reduces the amount of valid credit card data in the system at any one time.

Regards,

Paul

Carlos Ruiz August 15, 2011 at 6:44 AM

Yes, I was thinking on backward compatibility - but you're right, I prefer your approach - it does not make sense to be backward compatible with something that must not be acceptable.

Heng Sin Low August 15, 2011 at 6:36 AM

I don't think this should be configurable. The application needs to be PCI compliance, it is not really an option not to.

Fixed

Details

Assignee

Reporter

Labels

Components

Fix versions

Priority

Created August 14, 2011 at 11:42 PM
Updated March 13, 2014 at 2:20 PM
Resolved April 26, 2013 at 9:58 AM