PCI de-scope

Let me also throw out a real world scenario.  When disputes happen the credit card company requires that we provide them with the full PAN.  In a third party system where the credit card number is never even seen how can we deal with the credit card companies requirement to provide that information.  They want the full PAN and authorization number.  We have this scenario come up often.

Thanks,

Dave Alton

CIO

Center Theatre Group

o:213-972-7539 | c:213-973-2834

I think Keith is somewhat correct in his reading of the Network update item on the new credit card server.  It is one of our goals to have a completely "hands off" method to deal with credit cards in order to remove the onus of PA-DSS certification for the software.  In fact our team had a meeting this week with our security auditors to discuss that very topic (among others).  The new credit card server is one step towards that because it gives us more options for ways to address payment processors.  I understand that what you are talking about specifically is a 3rd party hosted window so that the application never even touches (much less stores) that credit card data and we are looking at that as well.  That approach does add some simplicity to the process but also poses some integration challenges because of the "commit" problem.  What happens if you authorize a card through a totally separate window and then you never save the order?  And if you want to do recurring payments (automatic credit card billing) then we have to store some pointer to the credit card stored in a 3rd party system.  All solvable problems but ones that add to the complexity.

Thanks for the comments and for keeping the conversation going.

Let me also throw out a real world scenario.  When disputes happen the credit card company requires that we provide them with the full PAN.  In a third party system where the credit card number is never even seen how can we deal with the credit card companies requirement to provide that information.  They want the full PAN and authorization number.  We have this scenario come up often.

Thanks,

Dave Alton

CIO

Center Theatre Group

o:213-972-7539 | c:213-973-2834

I think Keith is somewhat correct in his reading of the Network update item on the new credit card server.  It is one of our goals to have a completely "hands off" method to deal with credit cards in order to remove the onus of PA-DSS certification for the software.  In fact our team had a meeting this week with our security auditors to discuss that very topic (among others).  The new credit card server is one step towards that because it gives us more options for ways to address payment processors.  I understand that what you are talking about specifically is a 3rd party hosted window so that the application never even touches (much less stores) that credit card data and we are looking at that as well.  That approach does add some simplicity to the process but also poses some integration challenges because of the "commit" problem.  What happens if you authorize a card through a totally separate window and then you never save the order?  And if you want to do recurring payments (automatic credit card billing) then we have to store some pointer to the credit card stored in a 3rd party system.  All solvable problems but ones that add to the complexity.

Thanks for the comments and for keeping the conversation going.