interchange-cvs at icdevgroup
Jun 18, 2009, 10:00 PM
Post #1 of 1
(315 views)
Permalink
|
|
[SCM] Interchange branch, master, updated. fe182d93b4741210ca1511bdeb03d2c51cc87097
|
|
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Interchange".
The branch, master has been updated
via fe182d93b4741210ca1511bdeb03d2c51cc87097 (commit)
from 8f5ff11ebdb0840c29a50596354121179e71068e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit fe182d93b4741210ca1511bdeb03d2c51cc87097
Author: Jon Jensen <jon [at] endpoint>
Date: Thu Jun 18 22:56:42 2009 -0600
Remove CVV2/CSC from default credit card encrypted block template
The card security code should not be stored at all, even in encrypted
form. This makes the default behavior compliant with section 3.2.2 of
PCI-DSS 1.2:
https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
It is of course still possible to manually supply a template that
stores the card security code in violation of PCI-DSS requirements, so
developers should review any custom credit card encryption templates
to make sure that the CVV2 is not included, and purge it from any
historical data they have stored.
Thanks to Mark Lipscombe for calling attention to this.
-----------------------------------------------------------------------
Summary of changes and diff:
WHATSNEW-5.7 | 11 +++++++++++
lib/Vend/Order.pm | 1 -
2 files changed, 11 insertions(+), 1 deletions(-)
diff --git a/WHATSNEW-5.7 b/WHATSNEW-5.7
index a389a0a..678fded 100644
--- a/WHATSNEW-5.7
+++ b/WHATSNEW-5.7
@@ -132,6 +132,17 @@ Payment
* [pay-cert] tag now uses the new adjust_time() function instead of the older
time_to_seconds().
+* Remove CVV2 (Card Security Code) from default credit card encrypted block
+ template so that it will not even be stored in encrypted form. This makes
+ the default behavior compliant with section 3.2.2 of PCI-DSS 1.2:
+
+ https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
+
+ It is of course still possible to manually supply a template that stores
+ the card security code in violation of PCI-DSS requirements, so developers
+ should review any custom credit card encryption templates to make sure that
+ the CVV2 is not included, and purge it from any historical data.
+
UserTag
-------
diff --git a/lib/Vend/Order.pm b/lib/Vend/Order.pm
index fe08095..1e9b4b6 100644
--- a/lib/Vend/Order.pm
+++ b/lib/Vend/Order.pm
@@ -443,7 +443,6 @@ sub build_cc_info {
{MV_CREDIT_CARD_TYPE}
{MV_CREDIT_CARD_NUMBER}
{MV_CREDIT_CARD_EXP_MONTH}/{MV_CREDIT_CARD_EXP_YEAR}
- {MV_CREDIT_CARD_CVV2}
)) . "\n";
$cardinfo->{MV_CREDIT_CARD_TYPE} ||=
hooks/post-receive
--
Interchange
_______________________________________________
interchange-cvs mailing list
interchange-cvs [at] icdevgroup
http://www.icdevgroup.org/mailman/listinfo/interchange-cvs
|
