Application Name:tst
Programming Language:.NET

Card Holder Data - requirements regarding PCI-DSS
In order to verify the veracity of your answers regarding these questions, we strongly recoomend the following steps
The application should be properly tested against Security vulnerabilities as described in the OWASP top ten
It is recommended by the Security Council to use ASV(Approved Scanning Vendors) scanning tools
The most difficult part of the test is to verify that the application is indeed storing, trasmitting or process CHD

The Web Application falls into the main PCI-DSS Scope
We strongly recommend to read the OWASP Top 10 guidelines
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2013
The following checks are obligatory in order to become PCI-DSS complaint
Requirement 3 is about Protection of Card Holder Data
3.1 Keep cardholder data storage to a  minimum by implementing data retention
and disposal policies, procedures and processes that include at least the following :
-For all cardholder data (CHD) storage: Limiting data storage amount and  retention time to that which is 
required for legal, regulatory, and business requirements 
-Processes for secure deletion of data when no longer needed
-Specific retention requirements for cardholder data 
-A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.

Set secure Headers
Please check your deployment process to verify that HTTPS protocol has been implemented
Visit:https://www.owasp.org/index.php/HTTP_Strict_Transport_Security

Credit Card numbers, PAN's must be masked if displayed to web users for example : XXXX-XXXX-XXXX-3440
Only the last 4 digits can be displayed back to the user

According to PCI-DSS 3.2.1 Do not store the full contents of any track (from the magnetic stripe
located on the back of a card, equivalent data contained on a chip, or elsewhere). This data is alternatively 
called full track, track, track 1, track 2, and magnetic-stripe data
The purpose of the card validation code(CVV) is to protect card-not-present transactions—Internet
or mail order/telephone order (MO/TO) transactions—where the consumer and the card are not present. 
If this data is stolen, malicious individuals can execute fraudulent Internet and MO/TO transactions.+

If your organization must store Card Holder data, it must be encrypted using strong cryptography, Truncation, Index tokens and securely stored pads
Please refer to the following document for more info: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
https://www.owasp.org/index.php/Top_10_2010-A7-Insecure_Cryptographic_Storage
