lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <alpine.LNX.1.10.0809041531220.30866@catbert.rellim.com>
Date: Thu, 4 Sep 2008 15:38:29 -0700 (PDT)
From: "Gary E. Miller" <gem@...lim.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Hardcoded Keys

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yo All!

> I believe it almost never happens.  As I understand the card association
> rules, the merchant has to hang on to the data for refund purposes.

Nope, all you need to generate a refund is the original transaction ID.  At
least with the processors I use.

You can get the PCI requirements here:

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml


You are allowed to store the Card number, name and expiration date.
Appendix B allows you to store that unencrypted.

You are not allowed to store the mag stripe, CVC2 or PIN.


RGDS
GARY
- ---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97701
	gem@...lim.com  Tel:+1(541)382-8588

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFIwGNoBmnRqz71OvMRAvHmAKCepmVQ4F5fOWdxU5VOD9gTMYW3rACcCWfe
Fv3+09X/t92G6Du76Z9Bocs=
=YoK0
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ