I think this depends largely on what level of PCI Compliance you are aiming for [1]. Also, it depends on the PCI-DSS version you are working with.
As for a CDN claiming PCI Compliance, I don't believe any CDNs make such claims (with the exception of RackSpace, but they are a hosting provider more than a CDN) And protection against haching of the JS files at the source? I'm not quite sure what that means. Are you asking if the source files can be modified by someone prior to them being sent to you? The answer would be, yes - someone at google or MS could modify the files, however - they wouldn't, not without expecting large law-suits from lots of customers. You could be subject to MiTM and DNS Cache Poisoning attacks on your servers, that could allow an attacker to represent themselves as cdn.google or cdn.ms or whatever other cdn you might use - so to mitigate this you can (and should) make all of your sensitive areas of your application require SSL - the upstream requests to your CDN should also use SSL, if the cert is invalid it will warn your users before the script is downloaded to their browser. On 3/8/11 5:26 PM, "jkane001" <[email protected]> wrote: > Greetings! > > We run a website that deals with personal data, credit card, info, > etc., and we are working toward PCI Compliance. We are thinking of > using a CDN (Google or MS), but our concern is security of externally > loaded JS files. > > 1) Does the Google CDN claim PCI Compliance? > 2) Is there any protection against hacking of the JS files at the > source? > > Thanks! > J -- You received this message because you are subscribed to the Google Groups "Google AJAX APIs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-ajax-search-api?hl=en.
