Kbase P165466: A PCI-DSS compliance audit has found readable credit card numbers in files that are part of an OpenE
| Autor |
Progress Software Corporation - Progress |
| Acesso |
Público |
| Publicação |
10/05/2010 |
|
Status: Unverified
SYMPTOM(s):
A PCI-DSS compliance audit has found readable credit card numbers in files that are part of an OpenEdge Database.
The credit card numbers have been found in a database data extent that was created using the prostrct create command.
FACT(s) (Environment):
Windows
OpenEdge 10.1B
CAUSE:
User error - the audit report prepared by the PCI-DSS auditor was read incorrectly. The credit card numbers were written as text to a table in the database and were flagged as failing compliance during the PCI-DSS audit.
FIX:
Modify the application so that credit card numbers are not stored in text format in a database table. When OpenEdge creates a new database (e.g. when using the create qualifier of the prostrct command) or extends the size of an existing database, the new space allocated is initialized. All new disk blocks associated with OpenEdge database files are initialized, so that all data within those blocks are overwritten when they are first allocated.