前端的 PCI 合规性 (PCI DSS)
PCI compliance (PCI DSS) for Front End
我目前正在从事该项目,其功能之一是电子商务,因此我们的系统应负责用户信用卡信息和其他凭证信息的安全性。
我知道任何处理用户支付卡信息的 Web 服务都应遵循 PCI 合规性(支付卡信息数据安全标准)。作为一名前端开发人员,我需要弄清楚我应该关注和学习PCI DSS的哪一部分。
有什么建议、参考或忠告吗?
感谢帮助
PCI-DSS 相当复杂,但简而言之:要遵循的大部分规则都与后端处理和存储有关。关于前端的要点之一是要求 3.3:
Mask PAN when displayed (the first six and last four digits are the
maximum number of digits you may display), so that only authorized
people with a legitimate business need can see more than the first
six/last four digits of the PAN. This does not supersede stricter
requirements that may be in place for displays of cardholder data,
such as on a point-of-sale receipt.
但我认为在前端执行此操作是个坏主意。最好将已经屏蔽的数据发送到前端,因为客户端上的所有内容都可以被操纵(例如,您通过 javascript 屏蔽卡号,但在页面源中可以找到整个数字)。
当然还有需求 4:
4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public
networks (e.g. Internet, wireless technologies, cellular technologies,
General Packet Radio Service [GPRS], satellite communications). Ensure
wireless networks transmitting cardholder data or connected to the
cardholder data environment use industry best practices to implement
strong encryption for authentication and transmission. (Where
SSL/early TLS is used, the requirements in PCI DSS Appendix A2 must be
completed.)
4.2 Never send unprotected PANs by end user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).
4.3 Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.
务必使用强大的传输层加密 (TLS 1.2) 并且只允许使用安全密码,这样从前端传输到后端的数据就不会被嗅探网络的人读取。
您应该知道,前端的所有保护工作都可能被脏电脑破坏,这意味着电脑感染了特洛伊木马和其他恶意软件。这主要由要求 5 涵盖。
5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). For
systems not affected commonly by malicious software, perform periodic
evaluations to evaluate evolving malware threats and confirm whether
such systems continue to not require anti-virus software.
5.2 Ensure that all anti-virus mechanisms are kept current, perform periodic scans, generate audit logs, which are retained per PCI DSS
Requirement 10.7.
5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by
management on a case-by-case basis for a limited time period.
5.4 Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.
最后:确保您的应用程序经过渗透测试,因为这是必需的。
如果您有任何类型的设备连接到您的浏览器,如蓝牙或无线扫描仪、qr reader、swiper 等,那么这不符合严格的 PCI 标准。设备上捕获的数据需要在设备上加密,即使是连接两者的简单 USB 电缆也是如此。
我目前正在从事该项目,其功能之一是电子商务,因此我们的系统应负责用户信用卡信息和其他凭证信息的安全性。
我知道任何处理用户支付卡信息的 Web 服务都应遵循 PCI 合规性(支付卡信息数据安全标准)。作为一名前端开发人员,我需要弄清楚我应该关注和学习PCI DSS的哪一部分。
有什么建议、参考或忠告吗?
感谢帮助
PCI-DSS 相当复杂,但简而言之:要遵循的大部分规则都与后端处理和存储有关。关于前端的要点之一是要求 3.3:
Mask PAN when displayed (the first six and last four digits are the maximum number of digits you may display), so that only authorized people with a legitimate business need can see more than the first six/last four digits of the PAN. This does not supersede stricter requirements that may be in place for displays of cardholder data, such as on a point-of-sale receipt.
但我认为在前端执行此操作是个坏主意。最好将已经屏蔽的数据发送到前端,因为客户端上的所有内容都可以被操纵(例如,您通过 javascript 屏蔽卡号,但在页面源中可以找到整个数字)。
当然还有需求 4:
4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (e.g. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications). Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices to implement strong encryption for authentication and transmission. (Where SSL/early TLS is used, the requirements in PCI DSS Appendix A2 must be completed.)
4.2 Never send unprotected PANs by end user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).
4.3 Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.
务必使用强大的传输层加密 (TLS 1.2) 并且只允许使用安全密码,这样从前端传输到后端的数据就不会被嗅探网络的人读取。 您应该知道,前端的所有保护工作都可能被脏电脑破坏,这意味着电脑感染了特洛伊木马和其他恶意软件。这主要由要求 5 涵盖。
5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). For systems not affected commonly by malicious software, perform periodic evaluations to evaluate evolving malware threats and confirm whether such systems continue to not require anti-virus software.
5.2 Ensure that all anti-virus mechanisms are kept current, perform periodic scans, generate audit logs, which are retained per PCI DSS Requirement 10.7.
5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.
5.4 Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.
最后:确保您的应用程序经过渗透测试,因为这是必需的。
如果您有任何类型的设备连接到您的浏览器,如蓝牙或无线扫描仪、qr reader、swiper 等,那么这不符合严格的 PCI 标准。设备上捕获的数据需要在设备上加密,即使是连接两者的简单 USB 电缆也是如此。