search

opencollective / opencollective

We're tracking all our Issues, RFCs and a few other documents in this repository.
https://opencollective.com
MIT License
2.01k stars 370 forks source link

[Project] PCI DSS Compliance #7532

Closed znarf closed 1 month ago

znarf commented 1 month ago

While we avoid full PCI compliance by never seeing or storing credit card data, we're currently reviewing Stripe and PCI policies and want to improve in a few areas.

Coda link (private): https://coda.io/d/Make-Open-Collective_dnHLKv7oLV0/Currently_suSgoFhs#CurrentProjects_tuTeF75U/r268&view=modal

### Tasks
- [ ] Remove all credit card expiration dates from our database
- [ ] Stop recording credit cards expiration dates
- [ ] Adapt frontend to make sure we're still displaying cards properly
- [ ] Build an alternative mechanism for credit card expiration email notice
znarf commented 1 month ago

According to Stripe https://docs.stripe.com/security/guide

Out-of-scope card data that you can safely store

Stripe returns non-sensitive card information in the response to a charge request. This includes the card type, the last four digits of the card, and the expiration date. This information isn’t subject to PCI compliance, so you’re able to store any of these properties in your database. Additionally, you can store anything returned by our API

This project was initially based on the following table from the PCI "Self-Assessment Questionnaire A and Attestation of Compliance"

Image

However, this table was not precise enough, one should look at "PCI DSS Section 2, PCI DSS Applicability Information, for further details.". Which state:

The primary account number (PAN) is the defining factor for cardholder data. The term account data includes: the full PAN, any other elements of cardholder data that are present with the PAN, and any elements of sensitive authentication data.

If cardholder name, service code, and/or expiration date are stored, processed, or transmitted with the PAN, or are otherwise present in the CDE, they must be protected in accordance with the PCI DSS requirements applicable to cardholder data

Translated to simple language, that means without the full credit card number, expiry date or cardholder name are note sensitive data subject to PCI DSS compliance.

We're generally all for storing as few data as possible, but in this case this would result in lost engineering time and worse user experience.

Closing this project.