[
https://issues.apache.org/jira/browse/OFBIZ-3007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12762985#action_12762985 ]
Scott Gray commented on OFBIZ-3007:
-----------------------------------
{quote}
Thanks for giving more information. Why comply only with the minimum
requirement when it would be easy to encrypt the other sensitive data?
{quote}
I have no opinion on that one way or the other, you could raise an improvement jira issue but it certainly isn't a bug.
{quote}
The guidelines state "These data elements must be protected if stored in
conjunction with the PAN":
Cardholder Name
Service Code
Expiration Date
Have I misinterpreted the PCI document?
{quote}
You're missing the second sentence from the document:
"This protection should be per PCI DSS requirements for general protection of
the cardholder data environment."
You're confusing general protection with encryption.
> sensitive credit card data is not encrypted
> -------------------------------------------
>
> Key: OFBIZ-3007
> URL:
https://issues.apache.org/jira/browse/OFBIZ-3007> Project: OFBiz
> Issue Type: Bug
> Components: accounting
> Affects Versions: SVN trunk
> Reporter: chris snow
>
> I've only had a quick look at the Payment Card Industry standards, but I think the following fields should be encrypted in the ofbiz CreditCard entity:
> Cardholder name
> Valid from and Expiration date
> Issue Number
> [
https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Locked
