We're moving away from a hosted e-commerce platform and need to migrate 50000+ customers, ideally keeping their passwords intact.
I requested the customer data(including encrypted passwords and salts) from our current host and they refused saying that it is against PCI compliance.
How would you provide this data to a second party while keeping to PCI best practices?
I've tried searching but I can't find the relevent information or PCI documentation for this use-case.
Related
I've my C# NET6 desktop application to send to customers, important functions have been removed and implemented on a server
I've my public server on which I want to auth desktop app(license, feature...), get its blob, process it, send back
I consider the C# app crackable whatever obfuscator/protector I'll use (but i'll use anyway), server is considered secure, i need a secure point at customer premise.
The idea is to use an usb dongle to bring up a secure and authenticated session between desktop app and server.
Requisites for the dongle are:
Be able to do AES128(at least) and/or RSA1024(at least)
EAL5+/6+ secure MCU (nothing that could be dumped with glitches or baths in acid)
dll and API to talk with
So far i've looked at various sw protection dongle, but:
some are 15years old mcu and not sure if still in business
most doesn't tell what mcu is inside, some are fast (but silly) stm32, some are slow 8051
the expensive ones are the most complex ones, i mean it takes days to read unclear documentation and see that i don't need 90% of the package (enveloper, mssql db for my 50customers...)
i don't need at all their C# enveloper, I want to use a thirdparty/specific protector with VM
So i've looked at usb tokens PKI, FIDO2, PIV....but:
FIDO2 allows customer to reset pin and cear all certificates, no good as i want to burn keypair inside prior to ship to customer
PIV not found any cheap PIV only usb token, some FIDO2 expensive has also PIV interface, but...
to talk to FIDO2 and PIV i would need all the overload bloat of libraries that i very dislike (and also needs admin right, which i want to avoid)
PC/SC usb token are the most lowlevel to use, mscard lib and do whatever, nice but.....ISO-7816-8,9 are not public, costs like 300bucks to eventually see that my card vendor implemented custom stuff
I've 0x80 blob to send to dongle to powmod() it, that's all, no x509, no pkcs11, no base64, nothing human, just need a powmod(data) or an aes_dec(data).
Any suggestions?
While this is no full answer, I would like to address some issues:
You may underestimate the complexity required. Obviously necessary is some specification, whether RSA or AES operation is required. This has to show up somewhere, either as command parameter or as a set-up command (between host and connected token).
Pure modular exponentiation is unlikely to reach the desirable level of security, since RSA depends on padding to exclude some kinds of attack.
You may not like PKCS 11 interface, but it is proven and known to introduce no security issues. This may require notable effort if done on your own.
Given the mentioned EAL levels, my guess would be, that you need a smart card chip with USB interface.
The MCU is pretty irrelevant: to get crypto operations hardened, you need special hardware (as cryptographic coprocessors). It has little influence, how old the architecture of the chip is, which feeds the bytes to those.
This is a different question but what I am trying to do is avoid PCI compliance on my end and transfer that issue over to the customer. This will deal with the transfer of credit card numbers. I am wondering how you can create an application like a website but make is so a customer can download it to their computer to use it.
The application would be connected to a API where the credit card data would be given to a credit card processor. Is this possible to do? Can I avoid using a server of my own? If so what suggestions might you make? Can it be done using react? Node? do I have to use Python? Hope this is enough information to understand.
Tim,
If I am understanding your question correctly, you goal is to provide credit-card acceptance as a function to your customer and avoid PCI compliance. If your website includes a redirect or iframe to a processor, then your customer would need to complete an SAQ-A or SAQ-A EP for their compliance.
If you are a maintaining these sites, especially if you have remote access, then you are service provider and would need to complete the relevant sections of SAQ-D. If you build the website and leave it up to your customer after that, you have no obligations under the PCI DSS.
I attached a link to the PCI SSC's website for your reference.
Best of luck
I have a form where I collect the credit card information, send it over https line to my server. In the server, I am using Stripe PHP library to generate a token and store it in my database. Can you please suggest me whether I have followed PCI Compliant or Is there any PCI checklist available in the web?
Thanks,
Raja K
In short, no, this is not compliant. By sending raw card data to your servers, you are responsible for the highest burden of PCI compliance, the SAQ D. SAQ D is the most onerous of all the SAQs, with over 40 pages of requirements you must implement to remain PCI compliant.
The easiest level of PCI compliance is a Pre-filled SAQ A, which you can use if you use Stripe's frontend libraries to tokenize card data. I would recommend looking into Checkout or Elements to see if they fit your needs.
With Checkout or Elements, Stripe's libraries will tokenize a card for you, and you can send that token to your servers to create a charge. This means that the standards for PCI compliance no longer apply to your servers, as they don't contain sensitive card data.
You can read more about the different levels of PCI compliance when using Stripe here:
https://stripe.com/docs/security#validating-pci-compliance
I have designed a BLE peripheral into a product. There will be an app developed (Android, Windows) but for now I am writing firmware to support the app in the blind.
We cannot have someone access the peripheral who is not authorized. To handle this I have a password stored in firmware.
There are seven custom characteristics, all but three of which are disabled upon initial connection. The password characteristic is write only of course, once the correct password is sent the other characteristics are enabled.
I have no experience with BLE until now so I have no idea if this scheme is reasonable or not.
Is there a bettor way to limit access?
Thanks
Rich
The Bluetooth standard defines the pairing/bonding concept with its corresponding encryption. Based on your specification it doesn't seem like it fits your needs.
You therefore have to come up with something on your own. How secure you make it is completely up to you. Your proposal is the simplest and most unsecure way of doing it. The most secure thing you can do is use some protocol created for these purposes (https://en.wikipedia.org/wiki/Password-authenticated_key_agreement) to create a cryptographic key which you then use for authenticated encryption when you later communicate with your device. You decide which way you want to go based on the security level you want.
i have developed a windows desktop application and it is ready for distribution. Target buyers are in the order of few hundreds only. Yet wishing to protect it from unauthorized use.
First idea was to use something like HASP key etc. Found costly for my case. Then googled about machine fingerprint etc to write my own code. Found mixed opinion about it. Especially the fact that it might not be that end-user-friendly when they upgrade hardware.
Why should the fingerprinting be from machine.. it could be from something else which is unique and yet connected to the machine (hoping sim card is unique), right.? Put a sim card on a usb reader and plug it into the system. The application shall read the sim card id for authentication. Assuming i supply the sim card and pre-code their ids in the application. Is this idea sane and possible?
Thanks, Chandra.