In trying to disable TLS 1.0, there are KitKat devices needing access to my API. I have tried overriding the default socket factory without success. I have tried converting to okhttp. Still not wor...

We have to log incoming requests and outgoing responses for our web service. This includes JSON serialization of each object so they can be stored in a database. Some information is considered sen...

I bought a PositiveSSL Wildcard from https://www.ssls.com/ I have received 3 files a .ca-bundle a .crt and a .p7b. I configured the certificates with NGINX but I'm getting an error: "Servers c...

We’re developing a mobile app (iOS and Android) for a client which has its own payment processing solution. The app is public-facing, and will be used by individual consumers on their own phones. ...

I have used this in my code: <script type="text/javascript" src='https://www.googleadservices.com/pagead/conversion.js'></script> In PCI Scan i received error for this saying "Scrip...

We are working on a project its nature is somewhat ride sharing , I read about PCI Compliance i know we have to be PCI Compliance if we are dealing with credit card or payment i am a little ambiguo...

The existing version of openssh on OS X 10.7.4 is SSH-2.0-OpenSSH_5.6, which is not, unfortunately, PCI Compliant. So, I need to upgrade it and I have been trying to do so with Homebrew. So far, w...

What is considered "best practice" for encrypting certain sensitive or personally identifiable data in a SQL database (under PCI, HIPAA, or other applicable compliance standards)? There are many q...

I have a server running Ubuntu 14.04, but I have an issue with PCI requirements. I have installed in my server OpenSSH 6.6p1, then I upgraded it to OpenSSH 7.2p, compiling the code with make and ma...

In order to maintain PCI compliance, I need to have TLS v1.0 disabled. Is there anyway to do that (without paying for tech support)?

As per PCI, we need to stop using SSL and TLS(1.0 and 1.1 in certain implementation) from June 30th 2016 as per http://blog.securitymetrics.com/2015/04/pci-3-1-ssl-and-tls.html We have an client ...

We need to store last 4 digits of credit card, (in order to let customers know which card they have used?) and expiry date (to notify customers that their card is about to expire) for our subscript...

we would like to use a banking API to do SEPA transfers from our bank account to the user's bank account. For that the user needs to enter his IBAN and BIC into the form. We take those data (SSL se...

My PCI scans are failing on my win 2012 R2 server because of this. Here is the list of medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (> 64-bit and < 112-b...

When you have all these various javascript files included on a page for various services like website analytics, click tracking etc., doesn't this create a huge security risk because using javascri...

I want to host an application on Windows Azure that stores the credit card information of users who pay to buy subscriptions for a monthly fee. I'd just have to store the card data as securely as p...

I am writing a point of sale application for a client who has some very specific needs. The client is a retail store, so when they process credit cards, they have a physical card present and can sw...

I am trying to get my head round the Hosted Fields framework of Braintree. It has been released just a few days ago and is still in beta. I looked at the docs. I'm getting the overall idea but it ...

I have a 3rd party client who did a PCI scan on their site. The report returned this: web server autoindex enabled What is this and is it safe to disable it? Does anyone know the safest way to di...

I'm trying to get a Fedora 14 server running Apache 2.2.17 to pass a PCI-DSS compliance scan by McAfee ScanAlert. My first attempt using the default SSLCipherSuite and SSLProtocol directives set in...

I have been advised that having expose_php = On in my php.ini is a security issue and is, therefor, not PCI compliant. My research on it so far suggests that turning it off is low risk and will es...

I have this idea, but I am unsure if it is PCI compliant. I'm new to the arena of PCI compliance and am curious to know if this scenario violates PCI. So, let's set up the scenario. Company A is P...

I am working on a legacy ecommerce platform and have noticed a convention when dealing with credit card numbers. C# cardnumber = "11111111111111111111"; cardnumber = null; or in sql update card...

I am looking for an open source static source code analysis tool that can be used for security testing of an android application. I need to make sure that my application is PCI compliant. An exampl...

We're trying for PCI compliance on a load balanced EC2 instance on AWS. One issue we have to resolve is our load balancer accepts weak ciphers. However, ELB doesn't support the cipher suite, so I h...