Re: [MadRailers] PCI Compliance

[Matt Bauer]

I have not dealt with PCI, but I have dealt with HIPAA compliance, which are different in their specifics but the general process is largely similar.

That said, are you sure you *need* to be PCI compliant? With services like Stripe, you can avoid having payment information ever pass through your server, which as I understand it means you don’t need to worry about PCI compliance. Having been down the compliance route, avoiding it would be worth a lot of sacrificing of other goals unless there’s something absolutely non-negotiable— having compliance requirements means you’ll have to spend a *lot* of time, effort, and money dealing with them.

We have worked with Three Pillars Technology (they’re local in Madison, http://threepillarstechnology.com/ ) as Security and compliance consultants, and they’ve been extremely helpful. They are probably more familiar with the Windows space, but we’ve had no problems with them re: Linux/Rails.

That said, the best decision we made was moving our hosting to FireHost. They specialize in HIPAA and PCI compliant hosting, and they have all of the serious security infrastructure pieces down pat. It’s staffed largely by ex-NSA and Army cyber command guys and they *really* know their stuff. They’re very familiar with Rails/Linux stacks and handle plenty of them. They’re a lot more expensive than a commodity host, but they handle a lot of stuff that I would have to deal with and review myself, and so we find it worth it because security takes up a lot less of my time, *and* it’s done far better than anyone without an incredibly extensive security background could accomplish. Plus, compared with the costs of a failed audit and/or data breach, it’s a sound investment for us.

The expertise of people who spend all day on security and compliance stuff makes a huge difference in my confidence of navigating all of the compliance requirements, and the certainty that an audit would go smoothly slows the appearance of gray hairs.

If you’d want to chat on the phone or anything, let me know, I’d be happy to help if I can.

Matt

On Jan 27, 2015, at 5:59 PM, Culley Smith <culley...@gmail.com> wrote:

Hello Railers!

Does anyone have experience going through a PCI compliance audit with an e-commerce site built on Ruby on Rails?

I've gone through PCI audits in the past and while these audits should be language/framework/platform agnostic, I'm in a tricky situation. 

Our client hired their own auditor, who is more familiar with .Net and Microsoft platforms and it's causing some issues because of a lack of knowledge with Rails and Linux. So, that's why I'd like to find a PCI consultant who is more comfortable with a typical Rails stack.

Thanks all,

Culley

--
You received this message because you are subscribed to the MadRailers Google Group group.
To visit the MadRailers home page, go to http://madrailers.org
To post to this group, send email to mad-r...@googlegroups.com
---
You received this message because you are subscribed to the Google Groups "MadRailers: Madison's Ruby/Rails User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mad-railers...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.