Adjusting TLS / Crypto for PCI question Proxy and Base environment question

[markb]

Hi all, we are planning to adjust TLS / Crypto settings for PCI compliance for uStore and Support answered most of our questions (thank you).

Does anyone know if we should make the adjustments (we're planning on using Crypto IIS https://www.nartac.com/Products/IISCrypto ) on our Base server as well that's behind the firewall? Planning to make the adjustments for PCI on the Proxy, but was not sure if we should match changes on the Base server for any technical reasons outside of perhaps could not hurt or may be best practice. This wasn't super clear from support before the case was closed and thought I'd send a note here/

Thank you! Mark

[Wayne]

Hi Mark,

If you are transferring sensitive data from the application server (uStore) to a payment gateway provider then the application server needs to be PCI compliant as well.

Having been through this exercise I would recommend you make your entire solution PCI compliant rather than just your proxy server.

Of course a better option is don't use payment gateways that require PCI compliance  - most have punch out options so its no longer an issue.

Regards,

Wayne

[markb]

Thanks Wayne, we are setting up for a Redirect Gateway and our PCI vendor seems to be requiring us to scan uStore Proxy where the redirect happens. Mark