DEV Community

Discussion on: Would you send a plain text password from your website to the server over a secure connection?

thatjoemoore profile image
Joseph Moore

It doesn't require "no storage" (at least, not of the PAN), just that we protect the storage (requirement 3.4 of PCI-DSS 3.2), which includes within log files. This strategy helps us achieve that. I was, however, trying to talk about a broader scope than just PCI, even if that's the specific case that I'm dealing with, hence the hoping that people are actually doing pen tests. Even within PCI, though, I wonder how many auditors have checked the pen test records for the log servers, as opposed to just checking them for the app servers and DBs. I don't trust my auditors to make my system secure any more than they trust me :).

Thread Thread
stevefutcher profile image
Steve Futcher

When we had a pa dss audit every server had it's hard drive cloned and checked for anything matching the luhn algorithm. Lots of false positives but your solution seems like an excellent precaution.