I am a software engineer, and Im currently working on another payment application (my third one), which must meet PCI PA-DSS requirements. I am revising the PA-DSS documentation and I wonder if in the past I overloaded work on application security when I could go with TLS and user / pass. So, my questions when implementing the PA-DSS secure application:
To ensure authentication and communication security, is it enough to have TLS + user / pass?
What part (s) of the PA-DSS standard justify the need to implement hashing and hashing of messages between calls to web methods? TLS implements reliable messages, but does not perform hashing and constant calls between messages. Will the rolling hash make any difference (in terms of PA-DSS)?
If a payment processing application stores PII information and serves different companies (this means that company A and company B may have accounts in such an application), there is no special requirement that PII information cannot be stored in the same DB, but in the past PA-QSAs insisted this was a problem. The question is, is this really necessary? I canβt think that Authorize.NET, a company with thousands of customers and processors, has different databases for storing credit cards processed through each of its client companies.
Thanks in advance!
Update # 1:
Suppose that all pages and web services, both in DMZ and in Secure Zone, will have HTTPS for all communication channels, pages and services.
# 3 . (, AT & T Verizon) .