Do not store sensitive authentication data after authorization (even if encrypted)
In the normal course of business, the following data elements from the magnetic stripe may need to be retained:
• The accountholder’s name,
• Primary account number (PAN),
• Expiration date, and
• Service code to minimize risk,
store only those data elements needed for business.
After authorization, do not store the card verification value or code (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.
Do not store sensitive authentication data on vendor systems. like cookies etc
Data is securely deleted immediately after use,
including from:
- Log files
- Debugging files -
Other data sources received from customers.
The payment application keeps password history and requires that a new password is different than any of the last four passwords used.
The payment application limits repeated access attempts by locking out the user account after not more than six logon attempts.
Must Have Logout Time mean after 10-minute 30 minute if user is not active logout it (Recommended Only 15 Minutes)
Invalid logical access attempts (If Somebody Trying to access or login multiple time block user and give admin access to permanently block user by there ip address (Note: Discuss before applying because multiple people can have same ip address on the same time))
Cross-site request forgery (CSRF)
The payment application must be developed such that any web server and any cardholder data storage component (for example, a database server) are not required to be on the same server, nor is the data storage component required to be on the same network zone (such as a DMZ) with the web server.
Two-factor authentication must be used
If the payment application sends, or facilitates sending, cardholder data over public networks, the payment application must support use of strong cryptography and security protocols (for example, SSL/TLSIPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks, including at least the following: • Only trusted keys and certificates are accepted. • The protocol in use only supports secure versions or configurations • The encryption strength is appropriate for the encryption methodology in use For Laravel you can use Signed route