IMPORTANT - Re: Satchmo and PA DSS standards

15 views
Skip to first unread message

Bruce Kroeze

unread,
Nov 6, 2009, 12:54:13 PM11/6/09
to satchm...@googlegroups.com
On Fri, Nov 6, 2009 at 9:58 AM, Udbhav <gupta....@gmail.com> wrote:
>
> Was reading an old post on Pinnacle Cart's blog regarding upcoming
> changes to PA DSS requirements becoming mandatory (http://
> blog.pinnaclecart.com/2009/07/28/pa-dss-and-the-shopping-cart-
> industry/).  I was just wondering where Satchmo stands on this issue,
> and whether it will be PA DSS certified.  I haven't really been able
> to find too much discussion or documentation on this subject and was
> hoping for a little clarification.  I do know Satchmo doesn't store
> card numbers or cvv2 information in the database unless you explicitly
> tell it to, but I'm not sure about Satchmo's official standing in
> relation to these matters.  Could anybody clear this up, or at least
> point me in a direction where I can get a little more detail?

This is quite frustrating and obnoxious. Not you, Dev, the process as
it relates to open-source projects.

Interestingly, one of the "best practices" suggested in the PA DSS
Program Guide (https://www.pcisecuritystandards.org/security_standards/pci_pa_dss.shtml)
is that the payment system should preferably be isolated from the cart
itself. That's exactly what I've been doing with django-bursar.

I'd even be willing - not eager, but willing - to do the assessment
and apply for certification. I'm confident that we already meet the
guidelines. However, there is no way I will personally assume the
cost of the $1250 application fee, the $125 listing fees for minor
updates, and the $500 yearly listing fee. I could kick in a couple
hundred, but I can't justify carrying the full load. I make a living
from Satchmo & Bursar, but it isn't so luxurious that I could afford
~$1,000-$2,000 a year in listing fees.

I think we need to come up with a strategy. If I could get
commitments from stores using Satchmo or Bursar to pay part of the
fees, then we could proceed, otherwise it simply is not worth my
effort to try since we'll be blocked by the fees.

Also, I think it is time for Satchmo and Bursar to be more formally
copyrighted. I think it will be required as part of the certification
process for the software to be "owned" by an actual legal entity.
This is a can of worms, of course. I own a company that would be
willing to assume the responsibilities of benevolent ownership, at
least of Bursar, but I'd need formal releases of rights to the code
from everyone involved. Luckily, that is largely me and Chris. A
couple of the payment modules would need rights releases, however.

This really does have huge implications for the open-source movement.
Arbitrary regulation by non-governmental agencies, demanding fees from
anyone who dares to provide an interface to their API. Ugly. I
simply don't see how anyone could justify the $500 yearly listing fee,
for example. Obviously, they don't have to justify anything. Yet, I
don't want to abandon Bursar, nor do I want to make store owners lie
on their applications to get merchant accounts.

Thoughts from anyone? Anyone willing to pony up part of the
application fee? Should we move to a "suggested donation" system?
Administrated by whom? I'd do it, reluctantly, but again - a can of
worms.

--
Bruce Kroeze
http://www.ecomsmith.com
It's time to hammer your site into shape.

bobhaugen

unread,
Nov 7, 2009, 7:36:11 AM11/7/09
to Satchmo users
On Nov 6, 11:54 am, Bruce Kroeze <bkro...@gmail.com> wrote:
> Also, I think it is time for Satchmo and Bursar to be more formally
> copyrighted.  I think it will be required as part of the certification
> process for the software to be "owned" by an actual legal entity.

Think the Django Foundation would cover? The Dojo Foundation does it
for a bunch of related (and some unrelated) projects.

That wouldn't cover the fees, of course, just the copyright
ownership. Any idea how other open source ecommerce software projects
are approaching this can of worms? Quite a few out there, some popular.

Bob Waycott

unread,
Nov 24, 2009, 8:34:51 AM11/24/09
to satchm...@googlegroups.com
Hey Bruce, 

I've been asked by my superiors here at Medium to look into this and find out how this matter is moving forward or if we have a plan yet for how it needs to move forward. Since Satchmo is our go-to e-commerce platform of record, we are interested in helping in either a financial or coding capacity, depending on what is actually needed.

Any word you can give me on this so I can carry it before the board here?

Thanks,

Bob

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Satchmo users" group.
To post to this group, send email to satchm...@googlegroups.com
To unsubscribe from this group, send email to satchmo-user...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/satchmo-users?hl=en
-~----------~----~----~----~------~----~------~--~---


Bruce Kroeze

unread,
Nov 24, 2009, 12:52:09 PM11/24/09
to satchm...@googlegroups.com
On Tue, Nov 24, 2009 at 5:34 AM, Bob Waycott <bobwa...@gmail.com> wrote:
Hey Bruce, 

I've been asked by my superiors here at Medium to look into this and find out how this matter is moving forward or if we have a plan yet for how it needs to move forward. Since Satchmo is our go-to e-commerce platform of record, we are interested in helping in either a financial or coding capacity, depending on what is actually needed.

Any word you can give me on this so I can carry it before the board here?


No one has stepped up to offer a dime of support, unfortunately.  One of my larger clients, when informed about the issue, has decided to call their store an "in-house developed" cart to sidestep the issue.  I think that is shortsighted, but I'm still in a bind about what to do.  My offer remains open to work with a sponsor or sponsors to get this done.

Frustrating. 

Bob Waycott

unread,
Nov 24, 2009, 2:08:37 PM11/24/09
to satchm...@googlegroups.com
Bruce, what kind of work is necessary related to the coding side of things with Satchmo & Bursar to obtain compliance?

Also, do the numbers you posted a couple messages ago still stand as an accurate quote of the financial impact of compliance?

We are pretty serious here about ensuring we can continue to deliver e-commerce in a compliant fashion, thus easing our customer's concerns without any shady side-stepping.

If you'd like, you can contact me directly and we can talk more about the details.

Thanks,

Bob

--

You received this message because you are subscribed to the Google Groups "Satchmo users" group.
To post to this group, send email to satchm...@googlegroups.com.
To unsubscribe from this group, send email to satchmo-user...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/satchmo-users?hl=en.

daniel...@gmail.com

unread,
Nov 25, 2009, 11:59:06 PM11/25/09
to Satchmo users
Can you help me understand what the PA DSS is all about? Is the
payment card industry creating a list of "approved" shopping cart
systems and wants all shopping cart developers to fork out $1250 to be
on a list?

On Nov 24, 1:08 pm, Bob Waycott <bobwayc...@gmail.com> wrote:
> Bruce, what kind of work is necessary related to the coding side of things
> with Satchmo & Bursar to obtain compliance?
>
> Also, do the numbers you posted a couple messages ago still stand as an
> accurate quote of the financial impact of compliance?
>
> We are pretty serious here about ensuring we can continue to deliver
> e-commerce in a compliant fashion, thus easing our customer's concerns
> without any shady side-stepping.
>
> If you'd like, you can contact me directly and we can talk more about the
> details.
>
> Thanks,
>
> Bob
>
> On Tue, Nov 24, 2009 at 12:52 PM, Bruce Kroeze <bkro...@gmail.com> wrote:
>
> > On Tue, Nov 24, 2009 at 5:34 AM, Bob Waycott <bobwayc...@gmail.com> wrote:
>
> >> Hey Bruce,
>
> >> I've been asked by my superiors here at Medium to look into this and find
> >> out how this matter is moving forward or if we have a plan yet for how it
> >> needs to move forward. Since Satchmo is our go-to e-commerce platform of
> >> record, we are interested in helping in either a financial or coding
> >> capacity, depending on what is actually needed.
>
> >> Any word you can give me on this so I can carry it before the board here?
>
> > No one has stepped up to offer a dime of support, unfortunately.  One of my
> > larger clients, when informed about the issue, has decided to call their
> > store an "in-house developed" cart to sidestep the issue.  I think that is
> > shortsighted, but I'm still in a bind about what to do.  My offer remains
> > open to work with a sponsor or sponsors to get this done.
>
> > Frustrating.
>
> > --
> > Bruce Kroeze
> >http://www.ecomsmith.com
> > It's time to hammer your site into shape.
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Satchmo users" group.
> > To post to this group, send email to satchm...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > satchmo-user...@googlegroups.com<satchmo-users%2Bunsu...@googlegroups.com>
> > .

Bruce Kroeze

unread,
Nov 26, 2009, 12:10:25 AM11/26/09
to satchm...@googlegroups.com
On Wed, Nov 25, 2009 at 8:59 PM, daniel...@gmail.com <daniel...@gmail.com> wrote:
Can you help me understand what the PA DSS is all about?  Is the
payment card industry creating a list of "approved" shopping cart
systems and wants all shopping cart developers to fork out $1250 to be
on a list?


Basically, yes, you have it correctly.  It costs a minimum of $1250 to list a cart as approved.

More than that, though.  The easiest, fastest way to be approved is to have an audit run by a certified PSA-QSA company.  Seems to be about as hard as getting a CNA (not hard at all, just take classes and be good at memorizing).  So there are the audit fees, and the joy of dealing with the auditors, who are almost certainly non-programmers who think they know much more about programming and security than "you" do.  

Security is *hard*, and it isn't something you can buy, nor is it something that works well with explicit rules.  It is something you build into the process at your company and for your implementation.  The specific cart software you use is possibly 10% of the potential problems.  However, we have no choice.  Toe the line or face losing your merchant account.
 
So, the PSA DSS initiative seems to be a nice way to rack up a few more dollars, close out the small competitors, and look like you are standing up for security.  Bleah.

Iain Mac Donald

unread,
Nov 26, 2009, 4:49:20 PM11/26/09
to satchm...@googlegroups.com
On Wed, 25 Nov 2009 21:10:25 -0800
Bruce Kroeze <bkr...@gmail.com> wrote:

> So, the PSA DSS initiative seems to be a nice way to rack up a few
> more dollars, close out the small competitors, and look like you are
> standing up for security. Bleah.

Completely agree with that.

However, is it really that bleak? From looking at the SagePay pages

http://www.sagepay.com/integrating_sagepay.asp

"Sage Pay Go with Server integration is recommended to merchants who
want to run order & transaction reports on their own servers, but don’t
want to invest in their own digital certificate or collect credit card
details on their own website... This instantly reduces the need for
high-level PCI DSS compliance and doesn’t compromise your customers’
shopping experience on your site."

Isn't SagePay supported by Satchmo as it is a re-branded Protx? What
about the other payment processors supported by Satchmo?

Or am I missing something?

Regards,
Iain.

Bruce Kroeze

unread,
Nov 26, 2009, 5:09:15 PM11/26/09
to satchm...@googlegroups.com
On Thu, Nov 26, 2009 at 1:49 PM, Iain Mac Donald <google...@picturenow.co.uk> wrote:
On Wed, 25 Nov 2009 21:10:25 -0800
Bruce Kroeze <bkr...@gmail.com> wrote:

> So, the PSA DSS initiative seems to be a nice way to rack up a few
> more dollars, close out the small competitors, and look like you are
> standing up for security.  Bleah.

Completely agree with that.

However, is it really that bleak? From looking at the SagePay pages

http://www.sagepay.com/integrating_sagepay.asp

"Sage Pay Go with Server integration is recommended to merchants who
want to run order & transaction reports on their own servers, but don’t
want to invest in their own digital certificate or collect credit card
details on their own website... This instantly reduces the need for
high-level PCI DSS compliance and doesn’t compromise your customers’
shopping experience on your site."


That appears to be an optional service, which requires a redirect to their servers, much like PayPal.  That's great, actually it would be nice to do an advanced integration with them, possibly I'll look into it for Bursar.  But it is a different experience than paying with a credit card, like a "real" store.

Iain Mac Donald

unread,
Nov 26, 2009, 5:55:04 PM11/26/09
to satchm...@googlegroups.com
On Thu, 26 Nov 2009 14:09:15 -0800
Bruce Kroeze <bkr...@gmail.com> wrote:

> But
> it is a different experience than paying with a credit card, like a
> "real" store.

In what way? I quite often use Protx/SagePay merchants and it seems
quite normal to me. SagePay also offer an iframe solution (horrible I
know) but it does integrate into your site.

Also, it looks like Worldpay are offering a similar service to SagePay.
http://www.rbsworldpay.com/pcidss/index.php?page=questions&l=4

Regards,
Iain.

Bruce Kroeze

unread,
Nov 27, 2009, 11:59:21 AM11/27/09
to satchm...@googlegroups.com
On Thu, Nov 26, 2009 at 2:55 PM, Iain Mac Donald <google...@picturenow.co.uk> wrote:
On Thu, 26 Nov 2009 14:09:15 -0800
Bruce Kroeze <bkr...@gmail.com> wrote:

> But
> it is a different experience than paying with a credit card, like a
> "real" store.

In what way? I quite often use Protx/SagePay merchants and it seems
quite normal to me. SagePay also offer an iframe solution (horrible I
know) but it does integrate into your site.

But *we* aren't our target users.  We are used to, and understand, how payment gateways work.  But the vast majority of store customers just want to put in their credit card on a "normal" page.
 

Iain Mac Donald

unread,
Nov 27, 2009, 1:14:37 PM11/27/09
to satchm...@googlegroups.com
On Fri, 27 Nov 2009 08:59:21 -0800
Bruce Kroeze <bkr...@gmail.com> wrote:

> But *we* aren't our target users.

True. However, and this may be a national difference, I come across a
lot of sites with gateway payment processors. I don't have any
statistics to back this up but I would say that they might be in the
majority.

Furthermore, for the small to medium sized businesses I work with their
customers feel reassured when they enter their card details with a big
well known bank. To a lesser extent Paypal and Google have that effect
too.

Just my £0.02.

Regards,
Iain.

lifewithryan

unread,
Nov 27, 2009, 3:21:16 PM11/27/09
to satchm...@googlegroups.com
In my experience the mom and pops use the saas solutions and the
bigger (or those who can afford to have someone do it for them) choose
the integrated solution that bruce is referring to. For some odd
reason as both a developer and a customer, I prefer the latter and
hate passing the entire checkout process to a " third party service"

Sent from my iPod

On Nov 27, 2009, at 12:14 PM, Iain Mac Donald <google...@picturenow.co.uk
> --
>
> You received this message because you are subscribed to the Google
> Groups "Satchmo users" group.
> To post to this group, send email to satchm...@googlegroups.com.
> To unsubscribe from this group, send email to satchmo-user...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages