Application Name:Acme
Programming Language:.NET

Card Holder Data - requirements regarding PCI-DSS
In order to verify the veracity of your answers regarding these questions, we strongly recommend the following steps:
The application should be properly tested against Security vulnerabilities as described in the OWASP top ten
It is recommended by the Security Council to use ASV(Approved Scanning Vendors) scanning tools
Optional tools recommended here are : Wireshark,Nessus, OWASP ZAP, FindBugs, and using the IDE features to search on source code
The most difficult part of the test is to verify that the application is indeed storing, trasmitting or process CHD

The Web Application falls into the main PCI-DSS Scope
We strongly recommend to read the OWASP Top 10 guidelines
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2013
The following checks are obligatory in order to become PCI-DSS complaint
Requirement 3 is about Protection of Card Holder Data
3.1 Keep cardholder data storage to a  minimum by implementing data retention
and disposal policies, procedures and processes that include at least the following :
-For all cardholder data (CHD) storage: Limiting data storage amount and  retention time to that which is 
required for legal, regulatory, and business requirements 
-Processes for secure deletion of data when no longer needed
-Specific retention requirements for cardholder data 
-A quarterly process for identifying and securely deleting stored cardholder data that exceeds defined retention.3.2 Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication
data is received, render all data unrecoverable upon completion of the authorization process.

Authentication
HTTP authentication MUST be implemented over TLS. Right now you are NOT compliant with requirement 4 
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Please check your application is using SSL (HTTPS) process to verify that HTTPS protocol has been implemented
Read the following guidelines regarding secure authentication:
https://www.owasp.org/index.php/Authentication_Cheat_Sheet
https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

Credit Card numbers, PAN's must be masked if displayed to web users for example : XXXX-XXXX-XXXX-3440
Only the last 4 digits can be displayed back to the user

According to PCI-DSS 3.2.1 Do not store the full contents of any track (from the magnetic stripe
located on the back of a card, equivalent data contained on a chip, or elsewhere). This data is alternatively 
called full track, track, track 1, track 2, and magnetic-stripe data
The purpose of the card validation code(CVV) is to protect card-not-present transactions—Internet
or mail order/telephone order (MO/TO) transactions—where the consumer and the card are not present. 
3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by
using any of the following approaches:
-One-way hashes based on strong cryptography, (hash must be of the entire PAN)
-Truncation (hashing cannot be used to replace the truncated segment of PAN)
-Index tokens and pads (pads must be securely stored)
-Strong cryptography with associated key-management processes and procedures.
If your organization must store Card Holder data, it must be encrypted using strong cryptography, Truncation, Index tokens and securely stored pads
Please refer to the following document for more info: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
https://www.owasp.org/index.php/Top_10_2010-A7-Insecure_Cryptographic_Storage
If this data is stolen, malicious individuals can execute fraudulent Internet and MO/TO transactions.+

IF the application saves information such as credit card in log files and this is no properly encrypted
The application will not comply with requirement 3 and 4
Please refer to the following document for more info: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf
https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet
https://www.owasp.org/index.php/Top_10_2010-A7-Insecure_Cryptographic_Storage
Transmition of CHD 
HTTP authentication should be implemented over TLS and any information that contains CHD
Please check your deployment process to verify that HTTPS protocol has been implemented properly
https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet


