PCI Compliance
325 views
Skip to first unread message
Alan Gutierrez
Nov 21, 2009, 11:38:59 PM11/21/09
to spree...@googlegroups.com
I'm looking to deploy a smallish Spree site and the question of PCI DSS
and PCI DA compliance has come up. I've spent most of the day with my
eyes open wide, drinking in an Internet's worth of information on PCI
compliance.
It seems that some people are deploying Spree websites using
Authorize.net or PayPal, and feel they are PCI compliant if they use SSL.
I've seen validation programs with automatic scanners and some technical
support from Trust Guard and McAffee, adding badges to the site that
make it some form of certified.
Then there are services like Brain Tree which attempt to keep everything
offsite but transparent. Although supported by ActiveMerchant, I don't
see it offered in the setup forms in the administration. My guess is
that few of the people in this group use it.
What are your experiences with PCI Compliance for small retail sites?
Where do I look for guidelines? Is there anything that Spree offers that
makes this easier than another system?
What do you do about PCI Compliance?
Alan Gutierrez
http://twitter.com/bigeasy
and PCI DA compliance has come up. I've spent most of the day with my
eyes open wide, drinking in an Internet's worth of information on PCI
compliance.
It seems that some people are deploying Spree websites using
Authorize.net or PayPal, and feel they are PCI compliant if they use SSL.
I've seen validation programs with automatic scanners and some technical
support from Trust Guard and McAffee, adding badges to the site that
make it some form of certified.
Then there are services like Brain Tree which attempt to keep everything
offsite but transparent. Although supported by ActiveMerchant, I don't
see it offered in the setup forms in the administration. My guess is
that few of the people in this group use it.
What are your experiences with PCI Compliance for small retail sites?
Where do I look for guidelines? Is there anything that Spree offers that
makes this easier than another system?
What do you do about PCI Compliance?
Alan Gutierrez
http://twitter.com/bigeasy
Keith Tom
Nov 23, 2009, 10:19:19 AM11/23/09
to spree...@googlegroups.com
It seems that some people are deploying Spree websites using
Authorize.net or PayPal, and feel they are PCI compliant if they use SSL.
I think you'd want this even if it wasn't for PCI compliance.
Then there are services like Brain Tree which attempt to keep everything
offsite but transparent. Although supported by ActiveMerchant, I don't
see it offered in the setup forms in the administration. My guess is
that few of the people in this group use it.
It isn't too hard to setup a gateway in Spree if it is already in ActiveMerchant. It is usually follows something along the lines of adding a migration to create a Gateway object with its options. Look at this paypal migration for example. See the API of your gateway for the right options to create.
class CreatePaypalGateway < ActiveRecord::Migration
def self.up
login = GatewayOption.create(:name => "login",
:description => "Your login email.")
password = GatewayOption.create(:name => "password",
:description => "Your Paypal API Credentials Password.")
signature = GatewayOption.create(:name => "signature",
:textarea => true,
:description => "Your Paypal API Credentials signature string.")
gateway = Gateway.create(:name => "Paypal - Website Payments Pro",
:clazz => "ActiveMerchant::Billing::PaypalGateway",
:description => "Active Merchant's Paypal Website Payments Pro (US) Gateway.",
:gateway_options => [login, password, signature])
end
def self.down
end
end
What are your experiences with PCI Compliance for small retail sites?
Where do I look for guidelines? Is there anything that Spree offers that
makes this easier than another system?
Take this as an informal answer. You definitely don't want to store credit card data or any other secure financial information. Spree currently does not store credit card data by default but with a few config options could be changed to do so.
PCI is quite large. I suggest you just continue doing your google searches. The following looks like a decent start
Hope that helps.
--
You received this message because you are subscribed to the Google Groups "Spree" group.
To post to this group, send email to spree...@googlegroups.com.
To unsubscribe from this group, send email to spree-user+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/spree-user?hl=.
Sean Schofield
Nov 23, 2009, 11:07:38 AM11/23/09
to spree...@googlegroups.com
FYI - The migration approach is abandoned in the upcoming release
(edge) in favor of an even more simplified preferences system (see
recent blog post.)
Sean Schofield
-------------------------------------------
Rails Dog LLC
2 Wisconsin Circle, Suite 700
Chevy Chase, MD 20815
voice: (301)560-2000
-------------------------------------------
(edge) in favor of an even more simplified preferences system (see
recent blog post.)
Sean Schofield
-------------------------------------------
Rails Dog LLC
2 Wisconsin Circle, Suite 700
Chevy Chase, MD 20815
voice: (301)560-2000
-------------------------------------------
Alan Gutierrez
Nov 23, 2009, 1:53:05 PM11/23/09
to spree...@googlegroups.com
Keith Tom wrote:
>> What are your experiences with PCI Compliance for small retail sites?
>> Where do I look for guidelines? Is there anything that Spree offers that
>> makes this easier than another system?
>
> Take this as an informal answer. You definitely don't want to store
> credit card data or any other secure financial information. Spree
> currently does not store credit card data by default but with a few
> config options could be changed to do so.
>
> PCI is quite large. I suggest you just continue doing your google
> searches. The following looks like a decent start
> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
>
> Hope that helps.
Kieth
>> What are your experiences with PCI Compliance for small retail sites?
>> Where do I look for guidelines? Is there anything that Spree offers that
>> makes this easier than another system?
>
> Take this as an informal answer. You definitely don't want to store
> credit card data or any other secure financial information. Spree
> currently does not store credit card data by default but with a few
> config options could be changed to do so.
>
> PCI is quite large. I suggest you just continue doing your google
> searches. The following looks like a decent start
> https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
>
> Hope that helps.
Thank you for your response.
Using a dedicated host and SSL for an e-commerce project is a given. I'm
asking specifically about steps that people take, using the existing
available gateways, to achieve PCI compliance and avoid sanctions.
This is my first e-commerce application, but it is not my first secured
application. I'm aware of the need for SSL in an application of this
sort. I'm also aware that you're not supposed to store the PANs and
CVVs, that they gateway stores those and provides you with a token.
Having spent two days now with PCI, my impression is that if you do not
store credit cards, you fill out SAQ-C and subscribe to quarterly scans
through a firm like Trust Guard or McAffee. Trust Guard will even give
you a badge for your website.
Reading the PayPal forums, the few times that PCI is mentioned, PayPal
Certified Developers say that PayPal will require that you use SSL and
do not store PANs.
Basically, there are a lot of websites screaming themselves blue in the
face about PCI compliance, but I'm not seeing any discussion of PCI
compliance in Magneto, osCommerce, or other open source forums.
Here are some more specific questions:
* Do people here use virtual hosting, like Linode or Slicehost? There is
a PCI requirement that the data center is certified, and I see no
mention of PCI certification at these popular Xen hosts. Amazon does say
that you should not plan on using EC2 if you need PCI compliance, their
reason being that if you need Level 1, they will not allow an on-site
compliance inspection.
* Has anyone here subscribed to any sort of PCI compliance consulting or
quarterly or annual scanning from a Approved PCI Compliance Scanning Vendor?
* Is Spree going to survive the upcoming (July 1st, 2010) deadlines for
PA-DSS compliance? I'm under the impression that commercial shopping
cart vendors spend a considerable sum to obtain this compliance. I'm
wondering what open source projects say about this barrier.
Otherwise, I'd like to say that Spree is a great application and I'm
eager to deploy it and contribute to the community. I don't mean to
start out here with so many questions. I hope they are useful questions.
Alan Gutierrez
http://twitter.com/bigeasy
Todd Fisher
Nov 23, 2009, 2:59:48 PM11/23/09
to spree...@googlegroups.com
I might be totally off, but my understanding is PCI Compliance is for the gateways primarily because it is about storing credit card information... Because spree does not by default store credit card information, it is a red herring to be PCI compliant - I'm not a PCI expert however...
Alan Gutierrez
Nov 23, 2009, 3:55:22 PM11/23/09
to spree...@googlegroups.com
Todd Fisher wrote:
> I might be totally off, but my understanding is PCI Compliance is for
> the gateways primarily because it is about storing credit card
> information... Because spree does not by default store credit card
> information, it is a red herring to be PCI compliant - I'm not a PCI
> expert however...
Those are gateways. Spree users are merchants. PCI compliance applies to
> I might be totally off, but my understanding is PCI Compliance is for
> the gateways primarily because it is about storing credit card
> information... Because spree does not by default store credit card
> information, it is a red herring to be PCI compliant - I'm not a PCI
> expert however...
merchants as well as gateways. It applies to anyone who that accepts,
transmits or stores any cardholder data. Spree accepts and transmits.
http://www.pcicomplianceguide.org/pcifaqs.php#2
Alan Gutierrez
http://twitter.com/bigeasy
Sean Schofield
Nov 23, 2009, 9:15:45 PM11/23/09
to spree...@googlegroups.com
It is my understanding that PCI only applies to the merchant using
Spree - not Spree itself. Most small merchants don't bother with PCI
and just take reasonable precautions (like SSL and not storing credit
card numbers.) I doubt there is much that a PCI audit would turn up
since we store no credit card information other than expiration date
and last four digits.
Sean
Spree - not Spree itself. Most small merchants don't bother with PCI
and just take reasonable precautions (like SSL and not storing credit
card numbers.) I doubt there is much that a PCI audit would turn up
since we store no credit card information other than expiration date
and last four digits.
Sean
Alan Gutierrez
Nov 24, 2009, 12:25:09 AM11/24/09
to spree...@googlegroups.com
comply with a PA-DSS.
http://www.merchantaccountblog.com/735/pa-dss-and-you-thought-pci-was-a-mess
Here's an article mentioning that Magneto is telling people to upgrade
to the commercial offering.
http://blog.pinnaclecart.com/2009/07/28/pa-dss-and-the-shopping-cart-industry/
Here is a recommendation of one of three choices for users of
non-compliant carts.
http://www.practicalecommerce.com/articles/1374-When-a-Shopping-Cart-is-Not-PCI-Compliant-Three-Options-for-Merchants
Meanwhile, I'm developing my first Spree website, which is why I'm
curious about the what the future holds for Spree and all this
compliance FUD.
Alan Gutierrez
http://twitter.com/bigeasy
Alan Gutierrez
Nov 24, 2009, 12:32:25 AM11/24/09
to Spree
On Nov 23, 11:25 pm, Alan Gutierrez <a...@blogometer.com> wrote:
> Sean Schofield wrote:
> > It is my understanding that PCI only applies to the merchant using
> > Spree - not Spree itself. Most small merchants don't bother with PCI
> > and just take reasonable precautions (like SSL and not storing credit
> > card numbers.) I doubt there is much that a PCI audit would turn up
> > since we store no credit card information other than expiration date
> > and last four digits.
>
> Sean
>
> I've read that there is a July 1, 2010 deadline for merchant software to
> comply with a PA-DSS.
>
>
> Here's an article mentioning that Magneto is telling people to upgrade
> to the commercial offering.
>
> http://blog.pinnaclecart.com/2009/07/28/pa-dss-and-the-shopping-cart-...
> Here's an article mentioning that Magneto is telling people to upgrade
> to the commercial offering.
>
>
> Here is a recommendation of one of three choices for users of
> non-compliant carts.
>
> http://www.practicalecommerce.com/articles/1374-When-a-Shopping-Cart-...
> Here is a recommendation of one of three choices for users of
> non-compliant carts.
>
>
> Meanwhile, I'm developing my first Spree website, which is why I'm
> curious about the what the future holds for Spree and all this
> compliance FUD.
I'd like to add a link to a discussion in another open source
> Meanwhile, I'm developing my first Spree website, which is why I'm
> curious about the what the future holds for Spree and all this
> compliance FUD.
community
I found that is interesting.
http://groups.google.com/group/satchmo-users/browse_thread/thread/68df8936af70b0d1/c46bbe9601a4aba8
Alan Gutierrez
http://twitter.com/bigeasy
William Emerson
Nov 24, 2009, 1:51:59 AM11/24/09
to spree...@googlegroups.com
I too am wondering about PCI Compliance. I am not sure how it works
when a merchant uses a licensed or open-source cart. The details of
implementation are specific to the merchant not to the software
project so it might mean that every merchant might have to get PCI
Certification. I don't know but will be researching it also.
I have worked with a merchant whose bank required PCI compliance and a
subscription to an auditing service called SecurityMetrics.. There is
an automated test run every month and the rules for compliance keep
changing. Many times the test fails because some version of an apache
module is now considered hazardous and must be updated. There have
been many false positives (the tests fail) which require the host to
send version information to SecurityMetrics which then whitelists the
host software. It has required me as developer to be the mediator
between host and auditor. It has not been fun.
That said, the most difficult part of PCI Compliance is to clean up
the office network and software. If you don't store credit card info,
it's not so big a problem but this business requires stored cards.
I'd love to hear other developers' experiences and any information
anyone discovers.
Will Emerson
when a merchant uses a licensed or open-source cart. The details of
implementation are specific to the merchant not to the software
project so it might mean that every merchant might have to get PCI
Certification. I don't know but will be researching it also.
I have worked with a merchant whose bank required PCI compliance and a
subscription to an auditing service called SecurityMetrics.. There is
an automated test run every month and the rules for compliance keep
changing. Many times the test fails because some version of an apache
module is now considered hazardous and must be updated. There have
been many false positives (the tests fail) which require the host to
send version information to SecurityMetrics which then whitelists the
host software. It has required me as developer to be the mediator
between host and auditor. It has not been fun.
That said, the most difficult part of PCI Compliance is to clean up
the office network and software. If you don't store credit card info,
it's not so big a problem but this business requires stored cards.
I'd love to hear other developers' experiences and any information
anyone discovers.
Will Emerson
Roman Smirnov
Nov 24, 2009, 7:08:28 AM11/24/09
to Spree
Btw, we have ticket about this topic
http://railsdog.lighthouseapp.com/projects/31096/tickets/705-investigate-pci-compliance-issues
http://railsdog.lighthouseapp.com/projects/31096/tickets/705-investigate-pci-compliance-issues
Eliot Sykes
Nov 24, 2009, 12:03:29 PM11/24/09
to Spree
What follows is heavy on opinion, light on fact.
I didn't dig into the PCI topic too deeply but what I did scared me
enough to move to only using off site checkout systems only (PayPal
Website Payments Pro is *not* off site checkout, PayPal Express and
Google Checkout are off site).
If you don't store CC numbers but do transfer them as is the case with
most gateways available to Spree, including PayPal (unless you're
using PayPal Express) I think you're supposed to be PCI compliant
(just transferring numbers is still open to hacking). This means
subjecting your servers (and work PCs?) to scans by a third party plus
answering the PCI questionnaires. (Does PCI require not being on a
shared host?)
I didn't want to get tangled up in red tape, time is better spent
elsewhere, *and* have the worry hanging over me that if the system
ever got compromised even if it was PCI compliant my business might
end up liable and bankrupt.
As a result and as its a small business I figured the simplest
solution would be the best: Use off site payment processors only,
Google Checkout and PayPal Express are the two major ones I know of.
I'm hoping people are more used to paying via these services than they
used to be. This lets me sleep easier.
Eliot
I didn't dig into the PCI topic too deeply but what I did scared me
enough to move to only using off site checkout systems only (PayPal
Website Payments Pro is *not* off site checkout, PayPal Express and
Google Checkout are off site).
If you don't store CC numbers but do transfer them as is the case with
most gateways available to Spree, including PayPal (unless you're
using PayPal Express) I think you're supposed to be PCI compliant
(just transferring numbers is still open to hacking). This means
subjecting your servers (and work PCs?) to scans by a third party plus
answering the PCI questionnaires. (Does PCI require not being on a
shared host?)
I didn't want to get tangled up in red tape, time is better spent
elsewhere, *and* have the worry hanging over me that if the system
ever got compromised even if it was PCI compliant my business might
end up liable and bankrupt.
As a result and as its a small business I figured the simplest
solution would be the best: Use off site payment processors only,
Google Checkout and PayPal Express are the two major ones I know of.
I'm hoping people are more used to paying via these services than they
used to be. This lets me sleep easier.
Eliot
jumph4x
Dec 2, 2009, 12:11:35 AM12/2/09
to Spree
Most DEFINITELY an issue that every developer should research.
It is beginning to come up with the company I work for as well and it
is starting to intimidate me as the developer, especially because we
are moving from someone who claims to be PCI compliant and from what I
can tell, actually aren't.
We do store card numbers right now. To tell our salesmen that we can
no longer do this will not go over easy. I will formally bring the
issue up tomorrow before the management and see what comes of it.
But the PCI compliance information that I find mostly definitely
implies that even though Spree as software does not store credit card
numbers doesn't automatically mean we, as developers, dont need to
research this. Basically we need an deployment guide with detailed
bullet points on how exactly to handle launching a Spree-based
project. Something like:
- Only use a dedicated server as the hosting solution
- Hardware firewall is a requirement
- Use provided SSL config with Spree (and do not reduce the SSL
coverage. Only increase coverage if you need to modify this)
And so on and so forth. I need to be able to sleep at night...
starting to get a little frightened by the issue, to be honest.
On Nov 24, 12:03 pm, Eliot Sykes <eliotsy...@gmail.com> wrote:
> What follows is heavy on opinion, light on fact.
>
> I didn't dig into thePCItopic too deeply but what I did scared me
It is beginning to come up with the company I work for as well and it
is starting to intimidate me as the developer, especially because we
are moving from someone who claims to be PCI compliant and from what I
can tell, actually aren't.
We do store card numbers right now. To tell our salesmen that we can
no longer do this will not go over easy. I will formally bring the
issue up tomorrow before the management and see what comes of it.
But the PCI compliance information that I find mostly definitely
implies that even though Spree as software does not store credit card
numbers doesn't automatically mean we, as developers, dont need to
research this. Basically we need an deployment guide with detailed
bullet points on how exactly to handle launching a Spree-based
project. Something like:
- Only use a dedicated server as the hosting solution
- Hardware firewall is a requirement
- Use provided SSL config with Spree (and do not reduce the SSL
coverage. Only increase coverage if you need to modify this)
And so on and so forth. I need to be able to sleep at night...
starting to get a little frightened by the issue, to be honest.
On Nov 24, 12:03 pm, Eliot Sykes <eliotsy...@gmail.com> wrote:
> What follows is heavy on opinion, light on fact.
>
> enough to move to only using off site checkout systems only (PayPal
> Website Payments Pro is *not* off site checkout, PayPal Express and
> Google Checkout are off site).
>
> If you don't store CC numbers but do transfer them as is the case with
> most gateways available to Spree, including PayPal (unless you're
> using PayPal Express) I think you're supposed to bePCIcompliant
> (just transferring numbers is still open to hacking). This means
> subjecting your servers (and work PCs?) to scans by a third party plus
> answering thePCIquestionnaires. (DoesPCIrequire not being on a
> Website Payments Pro is *not* off site checkout, PayPal Express and
> Google Checkout are off site).
>
> If you don't store CC numbers but do transfer them as is the case with
> most gateways available to Spree, including PayPal (unless you're
> using PayPal Express) I think you're supposed to bePCIcompliant
> (just transferring numbers is still open to hacking). This means
> subjecting your servers (and work PCs?) to scans by a third party plus
> shared host?)
>
> I didn't want to get tangled up in red tape, time is better spent
> elsewhere, *and* have the worry hanging over me that if the system
> ever got compromised even if it wasPCIcompliant my business might
>
> I didn't want to get tangled up in red tape, time is better spent
> elsewhere, *and* have the worry hanging over me that if the system
jumph4x
Dec 2, 2009, 12:49:32 AM12/2/09
to Spree
Worthwhile article that keeps it very simple:
http://www.crucialwebhost.com/blog/ecommerce-pci-compliant-hosting/
Good introduction and primer for those not familiar with the issues
discussed in this topic. Everyone developing within the Spree
application should read it, IMHO.
http://www.crucialwebhost.com/blog/ecommerce-pci-compliant-hosting/
Good introduction and primer for those not familiar with the issues
discussed in this topic. Everyone developing within the Spree
application should read it, IMHO.
Reply all
Reply to author
Forward
0 new messages