PCI Compliance of JPOS

[harshaper...@gmail.com]

Hi,

I have proposed to the client organisation that JPOS be used to build an application that processes MasterCard IPM files.

Hence the client organisation is in the process of evaluating JPOS for deployment in an environment that strictly enforces PCI standards.

In order to convince the solution architect, IT security, PCI Compliance Manager and project manager to give the green light to JPOS, could the following information be provided please?

Is JPOS currently deployed in an environment strictly enforcing PCI standards? If so in which organisations?

What vulnerability testing has the JPOS library been subjected to?

Given that JPOS will be a black box to us, is there any security standards/features that it complies to which will give us the confidence to respond to a PCI compliance audit stating that this library has NO security holes or has no backdoor left open?

Thanks in Advance

Harsha

[Constantino Voulgaris]

If you go to http://jpos.org/about , you'll see a section title "Who is using jPOS?", which includes a very tiny subset of companies using it. You'll quickly realize that some of those companies probably deployed jPOS in environments strictly enforcing PCI standards.

If jPOS would be a black box to you, it's fair to say that it might be one of the more transparent black boxes you'll ever be installing in your software architecture, as all the code is available to you, it's open source and available to you and the entire world to review for hidden backdoors or holes.

--
--
jPOS is licensed under AGPL - free for community usage for your open-source project. Licenses are also available for commercial usage. Please support jPOS, contact: sa...@jpos.org
 
Join us in IRC at http://webchat.freenode.net/?channels=jpos
 
You received this message because you are subscribed to the "jPOS Users" group.
Please see http://jpos.org/wiki/JPOS_Mailing_List_Readme_first
To post to this group, send email to jpos-...@googlegroups.com
To unsubscribe, send email to jpos-users+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/jpos-users
---
You received this message because you are subscribed to the Google Groups "jPOS Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jpos-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/fe99fd04-10fb-43b0-9e57-839acdd6f4d7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[harshaper...@gmail.com]

Thanks for that.

Having a list of companies that deployed JPOS in environments strictly enforcing PCI standards will give the organisation a degree of confidence.

Doing a Security Review of the 100,000 lines of JPOS source code is not feasible at this stage.

[Andrés Alcarraz]

It's hilarious how people trust in closed system to which they have no access to the code, and distrust the open source, I mean people trust windows? or the closed source mainframe operating system? With much more unkown and impossible to know vulnerabilities and millions of lines of code behind it. But are unwilling to review some considerable less lines of code of an open source project.

This is a funny world we live in :P

El 28/08/14 a las 03:55, harshaper...@gmail.com escibió:

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/a6cbfd53-69ba-48a9-bac7-d1ec215761e2%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

-- 
And

[Andrés Alcarraz]

Sorry by the OT but had to say this, it seems the grade of trust is directly proportional to the amount spent in a product :P.

El 28/08/14 a las 04:03, Andrés Alcarraz escibió:

-- 
And

[Pieter Botha]

We recently built a jPOS bases system and are fully PCI complaint. Keep in mind that PCI compliance has absolutely nothing to do with jPOS but rather your implementation of it. You decide whether your code will be PCI compliant or not, whether your logs are masked or not, whether your database records are encrypted or not, whether your network is secure and correctly set up or not. jPOS is a library or framework that you use to write your code.

Keep in mind, if you are integrating with anyone out there, check first if they are PCI compliant, else I suggest you start requesting waivers from Visa/Amex/Mastercard and the likes.

Op donderdag 28 augustus 2014 01:08:19 UTC+2 schreef harshaper...@gmail.com:

[Mark Salter]

On 28/08/2014 08:10, Andrés Alcarraz wrote:
> directly proportional to the amount spent in a product :P.

This is a key here - and certainly ON-topic...

... OP seems to want all the answers and has a 'client' they are
advising, but...


... not once have I seen the consideration of the LICENSE that will be
needed for this almost certainly commercial arrangement.

I certainly hope they 'do the needful' and I do wish that this 'client'
was seeking detail from those that know and have done instead of
receiving advice from someone it appears that has not and does not.

Hello 'client' if you are reading this, please see the relevant websites
for license terms, since that is the easy part to consider and address.

:-)



--
Mark
BTW, if this 'client' is non commercial then I will happily acknowledge
my short sightedness, ignorance and eat my own hat :-)

[Vaibhav Aher]

Harsha,

If you are transmitting storing or processing Credit card data you are in scope of PCI or PA DSS.

PA DSS (Payment Application Data Security Standard) is for the third party payment applications procured and used for card payments (lets say a payment switch).

As requirement any such application (closed source) should be PA DSS compliant, and you will need to check for a PA DSS compliance status of that application with its version. You can not apply for the PA DSS compliance for the application on behalf of the solution provider company.

If you are using a open-source application then your organization has to take care of secure code review, application security testing as per the PCI DSS guidelines ( not need for PA DSS compliance till your company is not in to product selling)

Regards

Vaibhav

Vulnerability Management and PCI DSS consultant

www.PanaceaInfosec.com

--

[harshaper...@gmail.com]

It is not unwillingness. There is simply insufficient time to review 100,000 lines of JPOS code to determine vulnerabilities given the tight timelines. Hope that is understood.

[harshaper...@gmail.com]

I am trying to decipher the message been conveyed. It appears to be a concern about the license.

It has to be a commercial licence if JPOS is to be used in the client's site. Hope that answers your concerns.

[harshaper...@gmail.com]

Thank you very much Vaibhav for the very useful information.

[harshaper...@gmail.com]

Thank You very Much Pieter.

[Andrés Alcarraz]

it was just a joke about the irony,  I mean there has been time to review the billions of compiled instructions of the operating system the already existing solution runs on? Or it is an open source operating system auditable by a wide community of developers?

El 28/08/14 a las 10:18, harshaper...@gmail.com escibió:

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/532ab8f0-4bcd-4da1-a5f8-4f37e38fc190%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

-- 
And

[harshaper...@gmail.com]

Interesting point. They are currently running Oracle on Linux  on that box.

I guess there is an implicit "trust" factor when it comes to those those two products. 

[Andrés Alcarraz]

That's why I said trust is directly proportional to the amount spent ....

El 28/08/14 a las 19:49, harshaper...@gmail.com escibió:

To view this discussion on the web visit https://groups.google.com/d/msgid/jpos-users/47860afa-a383-4968-aaca-4021e8fde940%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

-- 
And