« Implementing non-ISO8583 interfaces | Main | 1 Customer, 1 Day, 3,338,094 Transactions »

Thursday, February 25, 2010


Feed You can follow this conversation by subscribing to the comment feed for this post.

I have seen proposals for PCI-split where a license certificate classifies the installation as PCI-compliant or 'less' compliant.

The scary part for me about this was that now you have logic splits in your core software to adapt the behavior according to the PCI-status. E.g. data would be stored clear or encrypted in the database based on customer choice regardless of sensitivity of the data.

Your solution of configuring your application's PCI state by changing application composition is a much cleaner approach from a software transparency and clarity perspective.

I believe that PCI components of an application must always be protected (and certifiable) by default. Non-protected access to this data should always be controlled at the presentation layer rather than introducing confusion in your core application.

Thanks for your insights, Alywn. We put a 'stake in the ground' that we wouldn't make any coding changes to support the split. We're happy with the way it turned out and like the layer of control the 'build-centric' approach provides us.

Of course, there is the additional factor now of making sure our customer installs the right release into the right environment! We've put additional protection in place to ensure that if per chance the installs get reversed, no transactions will work in that environment after the startup.

-- Andy

The comments to this entry are closed.

AddThis Social Bookmark Button


  • Alejandro's jPOS Project
    Faced with payment systems challenges? Start here to learn more about Alejandro Revilla's jPOS project.
  • Dave Bergert's Blog
    Insights from my OLS colleague, Dave Bergert, CISSP, CISA, CompTIA Security+, and former Visa-certified QSA.
  • Glenbrook's Blog List
    Glenbrook Partners has compiled "a current summary of the latest content from some of our favorite payments and banking blogs." Dave, Alejandro and I are on the list.
  • soliSYSTEMS
    My friend Roque Solis is our go-to guy for RFID, smart cards, chip cards, integrated circuit cards, HSMs, cryptographic accelerators and public-key cryptography.
  • Specs Online - AMEX
    American Express puts its acquirer specs online for public retrieval.
  • Specs Online - FDMS
    First Data Merchant Services puts its acquirer specs online for public retrieval.
    [NOTE: This repository is accessible only via IE; this link will not work with Firefox or other browsers.]


  • The PCI Split
    Depicts how we split an implementation into PCI and non-PCI halves.
  • The Virtuous Spiral
    A good payment system unleashes customer creativity. Does yours?
Blog Widget by LinkWithin

  • Your attention to detail is a great asset. Use it wisely.