[interchange-cvs] [SCM] Interchange branch, master, updated. fe182d93b4741210ca1511bdeb03d2c51cc87097

Jon Jensen interchange-cvs at icdevgroup.org
Fri Jun 19 05:00:48 UTC 2009 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "Interchange".

The branch, master has been updated
       via  fe182d93b4741210ca1511bdeb03d2c51cc87097 (commit)
      from  8f5ff11ebdb0840c29a50596354121179e71068e (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit fe182d93b4741210ca1511bdeb03d2c51cc87097
Author: Jon Jensen <jon at endpoint.com>
Date:   Thu Jun 18 22:56:42 2009 -0600

    Remove CVV2/CSC from default credit card encrypted block template
    
    The card security code should not be stored at all, even in encrypted
    form. This makes the default behavior compliant with section 3.2.2 of
    PCI-DSS 1.2:
    
    https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
    
    It is of course still possible to manually supply a template that
    stores the card security code in violation of PCI-DSS requirements, so
    developers should review any custom credit card encryption templates
    to make sure that the CVV2 is not included, and purge it from any
    historical data they have stored.
    
    Thanks to Mark Lipscombe for calling attention to this.

-----------------------------------------------------------------------

Summary of changes and diff:
 WHATSNEW-5.7      |   11 +++++++++++
 lib/Vend/Order.pm |    1 -
 2 files changed, 11 insertions(+), 1 deletions(-)

diff --git a/WHATSNEW-5.7 b/WHATSNEW-5.7
index a389a0a..678fded 100644
--- a/WHATSNEW-5.7
+++ b/WHATSNEW-5.7
@@ -132,6 +132,17 @@ Payment
 * [pay-cert] tag now uses the new adjust_time() function instead of the older
   time_to_seconds().
 
+* Remove CVV2 (Card Security Code) from default credit card encrypted block
+  template so that it will not even be stored in encrypted form. This makes
+  the default behavior compliant with section 3.2.2 of PCI-DSS 1.2:
+
+  https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
+
+  It is of course still possible to manually supply a template that stores
+  the card security code in violation of PCI-DSS requirements, so developers
+  should review any custom credit card encryption templates to make sure that
+  the CVV2 is not included, and purge it from any historical data.
+
 UserTag
 -------
 
diff --git a/lib/Vend/Order.pm b/lib/Vend/Order.pm
index fe08095..1e9b4b6 100644
--- a/lib/Vend/Order.pm
+++ b/lib/Vend/Order.pm
@@ -443,7 +443,6 @@ sub build_cc_info {
 			{MV_CREDIT_CARD_TYPE}
 			{MV_CREDIT_CARD_NUMBER}
 			{MV_CREDIT_CARD_EXP_MONTH}/{MV_CREDIT_CARD_EXP_YEAR}
-			{MV_CREDIT_CARD_CVV2}
 		)) . "\n";
 
 	$cardinfo->{MV_CREDIT_CARD_TYPE} ||=


hooks/post-receive
-- 
Interchange

More information about the interchange-cvs mailing list