javascript - 前端的 PCI 合规性 (PCI DSS)

Question

我目前正在从事该项目，其功能之一是电子商务，因此我们的系统应负责用户信用卡信息和其他凭证信息的安全性。

我知道任何处理用户支付卡信息的网络服务都应遵循 PCI 合规性(支付卡信息数据安全标准)。作为前端开发人员，我需要弄清楚我应该关注和学习 PCI DSS 的哪一部分。

有什么建议、引用或忠告吗？

感谢帮助

Answer 1

PCI-DSS 相当复杂，但简而言之:要遵循的大部分规则都与后端处理和存储有关。关于前端的要点之一是要求 3.3:

Mask PAN when displayed (the first six and last four digits are the maximum number of digits you may display), so that only authorized people with a legitimate business need can see more than the first six/last four digits of the PAN. This does not supersede stricter requirements that may be in place for displays of cardholder data, such as on a point-of-sale receipt.

但我认为在前端执行此操作是个坏主意。最好将已经屏蔽的数据发送到前端，因为客户端上的所有内容都可以被操纵(例如，您通过 javascript 屏蔽卡号，但在页面源代码中可以找到整个号码)。

当然还有要求 4:

4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks (e.g. Internet, wireless technologies, cellular technologies, General Packet Radio Service [GPRS], satellite communications). Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices to implement strong encryption for authentication and transmission. (Where SSL/early TLS is used, the requirements in PCI DSS Appendix A2 must be completed.)

4.2 Never send unprotected PANs by end user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).

4.3 Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.

一定要使用强大的传输层加密 (TLS 1.2) 并且只允许使用安全密码，这样从前端传输到后端的数据就不会被嗅探网络的人读取。您应该知道，前端的所有保护工作都可能被脏电脑破坏，这意味着电脑感染了特洛伊木马和其他恶意软件。这主要包含在要求 5 中。

5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). For systems not affected commonly by malicious software, perform periodic evaluations to evaluate evolving malware threats and confirm whether such systems continue to not require anti-virus software.

5.2 Ensure that all anti-virus mechanisms are kept current, perform periodic scans, generate audit logs, which are retained per PCI DSS Requirement 10.7.

5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period.

5.4 Ensure that related security policies and operational procedures are documented, in use, and known to all affected parties.

最后:确保您让您的应用程序接受渗透测试，因为这是必需的。