Does anyone have any idea if the now rightous goal of PCI complience is being built into osC 3.0?? There seems to be a general rumbling these days from VISA and MC, and its looking like system audits are coming soon.
Thanks.
Latest News: (loading..)
0
PCI complience?
Started by menriquez, Mar 09 2007, 21:21
4 replies to this topic
#3
Posted 10 March 2007, 17:15
osCommerce mustn't store credit card data in the database (edits to the order process and fields in db tables), and the Credit Card Module needs to be removed from the new version.
Vger
Vger
Edited by Vger, 10 March 2007, 17:15.
#4
Posted 10 March 2007, 22:14
Vger, on Mar 10 2007, 12:15 PM, said:
osCommerce mustn't store credit card data in the database (edits to the order process and fields in db tables), and the Credit Card Module needs to be removed from the new version.
Vger
Vger
The CC module is quite safely used with the split number option. It's important to me and many others with physical stores.
Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux
Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)
Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)
#5
Posted 11 March 2007, 09:10
My understanding is that if you are collecting credit card details on your site as a merchant then your site and server (as well as internal connected systems) must meet certain security requirements and your systems will be subject to an audit. If you are providing hosting for sites collecting payment details then you will be classified as a Level 1 Service Provider and will also be subject to an audit and have to comply. See the Visa information here.
The easiest approach for many will be to use a PCI DSS compliant third party payment gateway such as Protx.
Further reading:
Visa U.S.A. adds financial incentives, fines to PCI program
Visa upgrades PCI merchant classifications
PCI Blog ***
10 Steps to Creating Your Own IT Security Audit
Merchant Services — Payment Card Industry (PCI) Data Security Standards FAQs
The other issue that has puzzled me recently is the PCI's policy on email security (and particularly with reference to the Data Protection Act in the UK); will all emails containing customer contact details soon need to be encypted using eg PGP? Transaction confirmation emails from PCI compliant payment gateways are normally in html and although they don't hold card numbers they do usually hold other card data, ie name and address.
The easiest approach for many will be to use a PCI DSS compliant third party payment gateway such as Protx.
Further reading:
Visa U.S.A. adds financial incentives, fines to PCI program
Visa upgrades PCI merchant classifications
PCI Blog ***
10 Steps to Creating Your Own IT Security Audit
Merchant Services — Payment Card Industry (PCI) Data Security Standards FAQs
The other issue that has puzzled me recently is the PCI's policy on email security (and particularly with reference to the Data Protection Act in the UK); will all emails containing customer contact details soon need to be encypted using eg PGP? Transaction confirmation emails from PCI compliant payment gateways are normally in html and although they don't hold card numbers they do usually hold other card data, ie name and address.
