PCI compliance
0 views
Skip to first unread message
Chris Booth
Apr 14, 2009, 12:02:25 PM4/14/09
to Orlando Ruby Users Group Discussion
I'm wondering if anyone has investigated the issue of PCI compliance
when using ActiveMerchant, Saasy or RailsKit? Since none of these use
invisible redirect (as far as I can tell), are there concerns for PCI
compliance here? It's my understanding that if any page collects CC
information and that information is brought back to a controller in
the application, that you must answer a huge (250 question) PCI
compliance questionnaire. Am I missing something about PCI compliance
or has this just been downplayed/ignored when using ActiveMerchant/
Saasy/Railskit?
Any thoughts would be extremely helpful.
Thanks,
Chris
when using ActiveMerchant, Saasy or RailsKit? Since none of these use
invisible redirect (as far as I can tell), are there concerns for PCI
compliance here? It's my understanding that if any page collects CC
information and that information is brought back to a controller in
the application, that you must answer a huge (250 question) PCI
compliance questionnaire. Am I missing something about PCI compliance
or has this just been downplayed/ignored when using ActiveMerchant/
Saasy/Railskit?
Any thoughts would be extremely helpful.
Thanks,
Chris
Greg Pederson
Apr 14, 2009, 12:06:31 PM4/14/09
to orug-di...@googlegroups.com
I think you might be able to get a free PCI compliance report run on your site. IMHO an actual test will be more beneficial than any guesswork. If not free, either pass that cost onto your client or consider it cost of business and peace of mind??
Greg--
Greg Pederson
Founder and Technical Director
Nsight Development, LLC.
www.NsightDevelopment.com
Gr...@NsightDevelopment.com
407-641-0327
Quis custodiet ipsos custodes
Greg.P...@gmail.com
Greg
Greg Pederson
Founder and Technical Director
Nsight Development, LLC.
www.NsightDevelopment.com
Gr...@NsightDevelopment.com
407-641-0327
Quis custodiet ipsos custodes
Greg.P...@gmail.com
Nathan Kopp
Apr 14, 2009, 12:08:54 PM4/14/09
to orug-di...@googlegroups.com
I believe that your understanding of PCI compliance is correct. The
organization I work for is working hard to become PCI compliant, and the
requirements are quite strict (and annoying). And it's probably more
than a questionnaire... your answers to the questionnaire must be the
right answers, and you'll probably need to pay an outside company to do
penetration scans and things like that. I'm not aware of any free
scans. Periodic code reviews are also part of the equation if you
process enough transactions to cross certain thresholds.
-Nathan
organization I work for is working hard to become PCI compliant, and the
requirements are quite strict (and annoying). And it's probably more
than a questionnaire... your answers to the questionnaire must be the
right answers, and you'll probably need to pay an outside company to do
penetration scans and things like that. I'm not aware of any free
scans. Periodic code reviews are also part of the equation if you
process enough transactions to cross certain thresholds.
-Nathan
Chris
Apr 14, 2009, 12:42:52 PM4/14/09
to Orlando Ruby Users Group Discussion
Darn. I was hoping I was wrong! :)
Have you checked into the invisible redirect (like Braintree) has to
avoid this mess? I'm just wondering if that gets around the PCI
compliance requirements?
-Chris
Have you checked into the invisible redirect (like Braintree) has to
avoid this mess? I'm just wondering if that gets around the PCI
compliance requirements?
-Chris
Nathan Kopp
Apr 14, 2009, 1:21:55 PM4/14/09
to orug-di...@googlegroups.com
From talking with our consultants, it would seem that using a mechanism like Braintree's product (or something like Paypal or Google checkout) will be successful to remove the need for your application and network to be scanned or reviewed. The important part is that the credit card numbers will no longer pass through your hardware or software or network infrastructure. The card numbers travel directly from the user's browser to the external vendor and are stored in their off-site location only.
I'm not a PCI expert, but my understanding of the requirements are based on discussions with the security consultants that we have contracted specifically to help us with PCI compliance.
We are actually planning to create our own system similar to what Braintree is doing, but using AJAX (cross-domain) to make the integration even more seamless for the customer and allow us to invisibly integrate with our "enterprise" systems, such as Siebel and PeopleSoft. Though we're not completely offloading credit cards, our goal is to greatly reduce the scope of our PCI compliance need, so that only this small special-purpose web application and limited portions of our network will need to comply with the strict PCI regulations. That way we don't have to submit every system to mandatory code reviews and expensive penetration tests.
I'm not a PCI expert, but my understanding of the requirements are based on discussions with the security consultants that we have contracted specifically to help us with PCI compliance.
We are actually planning to create our own system similar to what Braintree is doing, but using AJAX (cross-domain) to make the integration even more seamless for the customer and allow us to invisibly integrate with our "enterprise" systems, such as Siebel and PeopleSoft. Though we're not completely offloading credit cards, our goal is to greatly reduce the scope of our PCI compliance need, so that only this small special-purpose web application and limited portions of our network will need to comply with the strict PCI regulations. That way we don't have to submit every system to mandatory code reviews and expensive penetration tests.
Nathan Kopp
Apr 14, 2009, 1:24:35 PM4/14/09
to orug-di...@googlegroups.com
Oh... I forgot one thing. Our security consultants did inform me that Braintree is not yet on the "approved vendor" list for Visa. I was told that they are approved by MasterCard (and maybe others), but not Visa. Presumably, that approval is in process (and might be complete already), but that would be something that you should research before choosing any vendor. If the vendor isn't "approved," then you won't be PCI compliant.
Chris
Apr 14, 2009, 2:07:30 PM4/14/09
to Orlando Ruby Users Group Discussion
Thanks for all the replies! Great info.
Nathan, I'll definitely check into Braintree's Visa compliance.
Thanks for the tip.
This leads me to wonder then, why don't ActiveMerchant/saasy/RailsKit
support invisible redirect if it seems to be such a big deal for PCI
compliance? Seems like that would be a great feature for those
systems to have oob. Or am I just missing something?
-Chris
Nathan, I'll definitely check into Braintree's Visa compliance.
Thanks for the tip.
This leads me to wonder then, why don't ActiveMerchant/saasy/RailsKit
support invisible redirect if it seems to be such a big deal for PCI
compliance? Seems like that would be a great feature for those
systems to have oob. Or am I just missing something?
-Chris
Reply all
Reply to author
Forward
0 new messages