It seems Payment Card Industry Data Security Standard approaches are not required by U.S. Law, but are instead just required in Minnesota and Nevada (while Washington State law gives heavy incentive for an embrace of PCI) and thus the Minnesota and Nevada requirements effectively drive a nationwide requirement as who would want to make a shopping cart which attempts to sidestep interfacing with with two of the fifty U.S. states? The oldest of the Minnesota/Nevada laws is the Minnesota law and it goes back to 2007. PCI as an idea goes back less than ten years to the tail end of 2004. Amongst the requirements for compliant web sites are things like:
- session data may only be kept for X minutes
- users must change their passwords every Y days
- etc.
No comments:
Post a Comment