PCI PA-DSS – Changes to Store and Forward processing

If you read the PCI standards carefully and hang out with PCI geeks here or here you will notice that PCI applies to post-auth data and not necessarily pre-authorization data. — I think the official language is “subsequent to the authorization”

On May 1st, a payment processor modified their message formats as a part of their PCI compliance to not send Field 35 in SAF Advice transactions and would just send the PAN in field 2 and Expiration Date in field 14, instead of DE 35.

Also, from a forum post from “andrewj

Another update on this (if you are from Australia) – there is a change being made to AS2805.2 to change the track 2 field from mandatory to optional in 04×0 messages. This should be released sometime this month.

This is a good trend in the industry, hopefully others will take this example and continue to trend.

jPOS-EE ui (eeweb3) changes for PABP requirement 3.1

Section 3.1 of the Visa Payment Application Best Practices (PABP) states:

Test the application to verify that unique user names and complex passwords are required for all administrative access and for all access to cardholder data, in accordance with PCI DSS requirement 8.1, 8.2, and 8.5all.

I am in the process of modifying the jPOS-ee ui (eeweb3) to support these requirements, as well as to have them be set as configurable values to implement your organization security polices. We use some of the jPOS-ee eeweb3 module in some of our payment solutions, notably our OLS.Switch

The development and testing in ongoing, but I wanted to give a brief synopsis of the changes that mostly leverage the used of User properties and SysConfig properties:

  • Flag to set a user account Status: Active || Inactive

  • Ability to force a user to require a password change on their next login
  • Password minimum length, Password change interval
  • Password Complexity options (based on required use of # of character classes (Upper, Lower, Numeric, Special, or required # of each type))
  • Password History (configurable number of passwords to check)
  • Account Lockout (and configurable duration)

After I’m done coding and testing I’ll provide the code to jpos.org to merge into jpos-ee svn codebase.