Demaestro - 3:56 pm on Aug 17, 2009 (gmt 0)

Jack, just wondering who requires this if you process CC numbers?

I just checked with my gateway and they only want me to have one if I store numbers, they don't require it otherwise, and they are very strict.

I am just wondering if there is some other body that is requiring it of me.

dreamer -> there are third party services that do code review. Applications and Websites that use those code reviews are usually in a position of high trust.

For example, banks and some poker/gambling sites have code audits. These are expensive though. Most e-comm vulnerabilities come in the form of sql injections and cross scripting stuff which can be checked using brute force methods, so getting a full code review isn't required.