| || |
Is TestLink PCI-DSS compliance
As TestLink might store sensitive data, so is TestLink PCI-DSS compliant?
Everything is store in cleartext in database, except password that is stored as MD5 hash.
You can alter the setup and workflow to make it compliant. For example, to make the login secure, you can use their LDAP integration to handle the logins. For sensitive information you can store it in a separate reference sheet on a secure location and have the test cases link to that instead of putting the information on the test link database. You might also just get away with just using an encrypted the file system like bitlocker so in theory the data is protected to those who do not have a login to test link or access to the host system.
Originally Posted by madhusudanjoshi
I've worked in the insurance industry where sensitive information is handled. How we handled it there was keep testing completely separate from production. QA is not allowed to touch production or any system that holds production data. We simply tested more thoroughly and put more faith in our testing prior to deployment and avoided staging tests with production data.
At another company that accepted credit card payment I worked for, we had a procedure for testing on "production like" data. We had a sanitization script that removed all identifying information and other sensitive information when it created a copy of the production database for stage testing.