Keith Tom wrote:
>> What are your experiences with PCI Compliance for small retail sites?
>> Where do I look for guidelines? Is there anything that Spree offers that
>> makes this easier than another system?
>
> Take this as an informal answer. You definitely don't want to store
> credit card data or any other secure financial information. Spree
> currently does not store credit card data by default but with a few
> config options could be changed to do so.
>
> PCI is quite large. I suggest you just continue doing your google
> searches. The following looks like a decent start
>
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
>
> Hope that helps.
Kieth
Thank you for your response.
Using a dedicated host and SSL for an e-commerce project is a given. I'm
asking specifically about steps that people take, using the existing
available gateways, to achieve PCI compliance and avoid sanctions.
This is my first e-commerce application, but it is not my first secured
application. I'm aware of the need for SSL in an application of this
sort. I'm also aware that you're not supposed to store the PANs and
CVVs, that they gateway stores those and provides you with a token.
Having spent two days now with PCI, my impression is that if you do not
store credit cards, you fill out SAQ-C and subscribe to quarterly scans
through a firm like Trust Guard or McAffee. Trust Guard will even give
you a badge for your website.
Reading the PayPal forums, the few times that PCI is mentioned, PayPal
Certified Developers say that PayPal will require that you use SSL and
do not store PANs.
Basically, there are a lot of websites screaming themselves blue in the
face about PCI compliance, but I'm not seeing any discussion of PCI
compliance in Magneto, osCommerce, or other open source forums.
Here are some more specific questions:
* Do people here use virtual hosting, like Linode or Slicehost? There is
a PCI requirement that the data center is certified, and I see no
mention of PCI certification at these popular Xen hosts. Amazon does say
that you should not plan on using EC2 if you need PCI compliance, their
reason being that if you need Level 1, they will not allow an on-site
compliance inspection.
* Has anyone here subscribed to any sort of PCI compliance consulting or
quarterly or annual scanning from a Approved PCI Compliance Scanning Vendor?
* Is Spree going to survive the upcoming (July 1st, 2010) deadlines for
PA-DSS compliance? I'm under the impression that commercial shopping
cart vendors spend a considerable sum to obtain this compliance. I'm
wondering what open source projects say about this barrier.
Otherwise, I'd like to say that Spree is a great application and I'm
eager to deploy it and contribute to the community. I don't mean to
start out here with so many questions. I hope they are useful questions.
Alan Gutierrez
http://twitter.com/bigeasy