|
WebApp Sec
mailing list archives
Re: Should login pages be protected by SSL?
From: Andrew van der Stock <vanderaj () greebo net>
Date: Tue, 21 Jun 2005 23:47:07 +1000
Amir,
it's required. See Attachment A from the PCI Guidelines. It's very
clear, particularly on page two with the diagram. If you deal with CC
numbers, you must encrypt the communications over the Internet.
Eg, for the asia-pac region:
http://www.visa-asia.com/secured/includes/AP_Encrypt_Clarification.pdf
thanks,
Andrew
On 21/06/2005, at 8:07 PM, Amir Herzberg wrote:
The Visa/MC PCI guidelines are quite stringent on applying
reasonable controls to this data.
Well, actually, I've worked with the card people a lot but am not
aware of a specific requirement to use SSL to protect the form sent
to the consumer and not just to protect the CC# in transit. Do you
know? If you can give me some reference, I'll appreciate. I can
also ask my contacts. I am very interested, as one of the companies
which uses unprotected login is Amex, and in fact we had a long
argument with them on these questions...
 By Date 
By Thread
Current thread:
|
Intro
