Java client app and PCI compliance

I am trying hard to find a way to automate some calculations on a credit card merchant statement. But I must be 100% within the letter and the intent of the rules which define PCI compliance.

Writing a Java app to run on all platforms was a great suggestion to "pre-process" the data, redacting private data, before upload to my site for further processing. But, I wonder, why not do ALL the processing via a downloadable Java App?

Is that a guarantee that I am 100% PCI compliant?

The problem will be when it fails a user and they need it debugged...I would need that PDF file sent to me for debugging. BUT, isn't that a much safer route to take than putting it on a website?

I would certainly have a high security bar to maintain regarding how I handle my PC, and maybe the methodology I use when choosing a password for that email account. But NOT having a website where any Credit Card info resides seems like a smarter way to go.

So, I am now imaging a simple website, probably WordPress. I would post a current version of the Java App for download and explanation of what it does, etc.

Users could download it and privately process their merchant account report on their own PC's. In the LIKELY event they have an unsupported report format, they could email me their full report. (Redacting private data from a PDF itself seems like a pretty high bar for users to handle)

On receipt of the PDF, I would redact all private data for that statement, and delete all un-redacted versions.

Once I have that report working, I would email the final report to that merchant and push an update of the Java App.

Any problems with this approach??

For those who work with PCI, is this PCI compliant?

Thanks.
newbiewebSr. Software EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
1) PCI Compliance occurs at the server level. So long as your site has passed whatever compliance scanner is used by the company you hire to test your compliance, you'll be good.

2) When .pdf file debugging is required, only upload files via an SSL wrapped site. Never, ever, every send anything personal via email.

Email flowing over the the net can be read by anyone.

3) Java for download... Ouch... You're asking for a world of hurt. If you have infinite free time, then you can go this route.

Better to always have people upload their documents to your site + do all processing on your site.

Otherwise you'll have to write tutorials for things like how to install Java, when it's missing + people will rarely follow your instructions correctly, so you'll then have to go into the customer support business, just to get Java + your App installed + running correctly for each client.

4) Rather than email their document back to them, email a notification they can pickup their document from your Website.

Then do a per user file upload/download area for each client.

I coded a per user files upload/download recently. Only a few lines of code, if you use WordPress.

5) I work with keeping sites PCI Compliant continuously. Any App you run on your site should have zero effect on your compliance... so long as the code you write runs in background (no front facing connection), to process all your documents.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Sigh... One last point.... I pondered whether to say this or not...

Java is the absolute last language I'd choose for this work... or, pretty much anything.

What you can do in a handful of lines of PERL, takes 100s or 1000s of lines of Java.

There per user upload/download WordPress facility I developed runs PHP for the UI + all the code behind the scenes to process files is all PERL.
0
newbiewebSr. Software EngineerAuthor Commented:
Once again, thanks a lot. There is plenty for me to ponder!
0
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
You're welcome.

Big thing about PCI Compliance is also, once you chose your Compliance company, their scanner will be unique.

So if you change companies (therefore scanner changes too), likely you may have to clean up some other minor things.

And again, all this will be at the server level, so your App should have no effect on your compliance.
0
gr8gonzoConsultantCommented:
David, I have to disagree on the Java thing. Java has so many libraries today that it's far easier to write and maintain compared to Perl (and I write in both). I actually find it to be somewhere between object-oriented PHP and C#. And so many people have Java running nowadays or have installed it before that it shouldn't be a big deal for downloads. Take a look at the popularity of Minecraft or something like Universal Media Server - both Java apps that have extremely simple setups (and probably do more than necessary).

2. A server-side app can definitely impact PCI compliance if it's not securing data properly.

3. I agree it's still not a good idea to not send sensitive data over email but I would just add that things are dramatically improving in server email security. Almost every major email provider and most popular email server distributions support TLS nowadays. I could send an email from any of my servers to my Gmail account and know that it would be safely transmitted.

If you're not certain about the mail servers involved, it's definitely safer to use https.
1
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Programming

From novice to tech pro — start learning today.