I’m a software engineer and I’m currently working on another payment application (my 3rd one) that must go under PCI PA-DSS compliance. I’m re-examining the PA-DSS documentation and I’m wondering if in the past I overworked on the security of the application, when I could’ve go by with TLS and user/pass. So, my questions are, when implementing a PA-DSS secure application:
For Authentication and Communication security is it enough to have TLS + user/pass?
What part(s) of the PA-DSS standard justifies the need of implementing message hashing and rolling hash between web methods calls? TLS implements reliable messages, but not rolling hashes and persistent callers between messages. Will implementing a rolling hash make any difference (from the PA-DSS stand point)?
If a payment processing application stores PII information and serves different companies (meaning that Company A and Company B can have accounts in such application), there is no specific requirement that states the PII information cannot be stored in the same DB, but in the past, PA-QSAs have insisted in this being an issue. The question is: Is this truly necessary? I cannot think Authorize.NET, a company with thousands of clients and processors have different databases to store the credit cards processed through each of its client companies.
Thanks in advance!
Update #1:
Assume all pages and web services, both in DMZ and Secure Zone will have HTTPS for all the communication channels, pages and services.
On #3, the question is not about the location or security of the storage of sensitive information. The question is more geared to question the ability of sharing sensitive information from different sources (clients, such as AT&T and Verizon for example) in the same database.