WebApp Sec mailing list archives
Re: Should login pages be protected by SSL?
From: Andrew van der Stock <vanderaj () greebo net>
Date: Tue, 21 Jun 2005 23:47:07 +1000
Amir,it's required. See Attachment A from the PCI Guidelines. It's very clear, particularly on page two with the diagram. If you deal with CC numbers, you must encrypt the communications over the Internet.
Eg, for the asia-pac region: http://www.visa-asia.com/secured/includes/AP_Encrypt_Clarification.pdf thanks, Andrew On 21/06/2005, at 8:07 PM, Amir Herzberg wrote:
The Visa/MC PCI guidelines are quite stringent on applying reasonable controls to this data.Well, actually, I've worked with the card people a lot but am not aware of a specific requirement to use SSL to protect the form sent to the consumer and not just to protect the CC# in transit. Do you know? If you can give me some reference, I'll appreciate. I can also ask my contacts. I am very interested, as one of the companies which uses unprotected login is Amex, and in fact we had a long argument with them on these questions...
Current thread:
- Should login pages be protected by SSL? Amir Herzberg (Jun 20)
- Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 20)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 21)
- Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? (and comment to moderator) Andrew van der Stock (Jun 21)
- Re: PCI standards & Should login pages be protected by SSL? Peter Watkins (Jun 21)
- RE: PCI standards & Should login pages be protected by SSL? Lyal Collins (Jun 22)
- Re: Should login pages be protected by SSL? (and comment to moderator) Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- Re: Should login pages be protected by SSL? Andrew van der Stock (Jun 20)
- Re: Should login pages be protected by SSL? Steve Shah (Jun 21)
- Re: Should login pages be protected by SSL? Amir Herzberg (Jun 21)
- [summary] Re: Should login pages be protected by SSL? Steve Shah (Jun 22)
- Re: [summary] Re: Should login pages be protected by SSL? Ole Kasper Olsen (Jun 23)
- Rephrased: Should login pages be protected by SSL - although it won'thelp most users? Amir Herzberg (Jun 23)