If you read the PCI standards carefully and hang out with PCI geeks here or here you will notice that PCI applies to post-auth data and not necessarily pre-authorization data. — I think the official language is “subsequent to the authorization”
On May 1st, a payment processor modified their message formats as a part of their PCI compliance to not send Field 35 in SAF Advice transactions and would just send the PAN in field 2 and Expiration Date in field 14, instead of DE 35.
Also, from a forum post from “andrewj”
Another update on this (if you are from Australia) – there is a change being made to AS2805.2 to change the track 2 field from mandatory to optional in 04×0 messages. This should be released sometime this month.
This is a good trend in the industry, hopefully others will take this example and continue to trend.
Glenbrook’s Payment News has a list of Payment and Banking Blogs — The Payment Systems Blog is included in this list.
Check out the page and other blogs here.
Section 3.1 of the Visa Payment Application Best Practices (PABP) states:
Test the application to verify that unique user names and complex passwords are required for all administrative access and for all access to cardholder data, in accordance with PCI DSS requirement 8.1, 8.2, and 8.5all.
I am in the process of modifying the jPOS-ee ui (eeweb3) to support these requirements, as well as to have them be set as configurable values to implement your organization security polices. We use some of the jPOS-ee eeweb3 module in some of our payment solutions, notably our OLS.Switch
The development and testing in ongoing, but I wanted to give a brief synopsis of the changes that mostly leverage the used of User properties and SysConfig properties:
After I’m done coding and testing I’ll provide the code to jpos.org to merge into jpos-ee svn codebase.
I recently stumbled upon an article that really hits on a good point, regarding PABP compliance, and PCI compliance:
PABP Compliance Does NOT Imply PCI DSS Compliance
The short of it is that if you use a PABP compliant software, this does not imply that you are PCI compliant.