re: Would you send a plain text password from your website to the server over a secure connection? VIEW POST

re: As in all things in InfoSec, it's all about considering what kinds of attacks you're trying to defend against. In this case, I'm not trying to pro...

Cool. Doesn't the PCI compliance require regular Pen tests and no storage of credit card information though?

It doesn't require "no storage" (at least, not of the PAN), just that we protect the storage (requirement 3.4 of PCI-DSS 3.2), which includes within log files. This strategy helps us achieve that. I was, however, trying to talk about a broader scope than just PCI, even if that's the specific case that I'm dealing with, hence the hoping that people are actually doing pen tests. Even within PCI, though, I wonder how many auditors have checked the pen test records for the log servers, as opposed to just checking them for the app servers and DBs. I don't trust my auditors to make my system secure any more than they trust me :).

When we had a pa dss audit every server had it's hard drive cloned and checked for anything matching the luhn algorithm. Lots of false positives but your solution seems like an excellent precaution.

code of conduct - report abuse