I'm having a really tough time handling PCI compliance for a particular website on my 1&1 VPS. This VPS runs Windows and Plesk and has worked well for me and the websites I host there. The newest one has a donation form that sends data to Authorize.net for processing.
My problem is the client requires PCI compliance and runs the Trustkeeper scan. We've been fielding all the various changes but it is causing havoc with Plesk and the VPS. Last month a required update of PHP broke Plesk's statistics program so all my customers don't have compiled stats now. I'm sure future changes will cause future problems, and I don't have the expertise or the budget to hire IT professionals every other week to make changes.
So my questions,
1. Does a setup like mine (no cc info stored, only sent to third-party processor) require all these fixes?
2. Is there an online service perhaps that will host my donor page and maintain its compliance?
Jeremy
Latest News: (loading..)
0
7 replies to this topic
#2
Posted 23 March 2010, 21:24
Quote
1. Does a setup like mine (no cc info stored, only sent to third-party processor) require all these fixes?
Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!
8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.
Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.
Any issues with oscommerce, I am here to help you.
8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.
Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.
Any issues with oscommerce, I am here to help you.
#3
Posted 24 March 2010, 00:05
I found this on Authorize.net's developer FAQs that seems to apply:
Does my solution have to be Payment Card Industry (PCI) Data Security Standard certified?
The card associations do not currently require payment applications to be PCI certified. However, Visa does provide many useful guidelines and best practices for payment applications that help to provide strengthened security for merchants. Visit Visa's Cardholder Information Security Program (CISP) for more information.
Authorize.Net is fully PCI certified, and dedicates many resources to maintaining our certification with Visa.
But then I see this on pcicomplianceguide.com:
Q: Do organizations using third-party processors have to be PCI compliant?
A: Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.
I don't understand who/what is correct, as it seems like things are unclear.
Does my solution have to be Payment Card Industry (PCI) Data Security Standard certified?
The card associations do not currently require payment applications to be PCI certified. However, Visa does provide many useful guidelines and best practices for payment applications that help to provide strengthened security for merchants. Visit Visa's Cardholder Information Security Program (CISP) for more information.
Authorize.Net is fully PCI certified, and dedicates many resources to maintaining our certification with Visa.
But then I see this on pcicomplianceguide.com:
Q: Do organizations using third-party processors have to be PCI compliant?
A: Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.
I don't understand who/what is correct, as it seems like things are unclear.
#4
Posted 24 March 2010, 01:32
If you collect and/or transmit the cc info on your site you will need to be PCI compliant.
This is even if you use a 3 party processor like authorize.net
If you send the customer to complete the payment on a payment page hosted on the payment processors server then you don't need to be PCI compliant.
Ie. The customer leaves your site to complete the payment and is then returned back to your website when payment has been done like PayPal Standard payment and similar payment services which offer hosted payment pages.
This is even if you use a 3 party processor like authorize.net
If you send the customer to complete the payment on a payment page hosted on the payment processors server then you don't need to be PCI compliant.
Ie. The customer leaves your site to complete the payment and is then returned back to your website when payment has been done like PayPal Standard payment and similar payment services which offer hosted payment pages.
Basics for osC 2.2 Design - Basics for Design V2.3+ - Seo & Sef Url's - Meta Tags for Your osC Shop - Steps to prevent Fraud... - MS3 and Team News... - SEO, Meta Tags, SEF Urls and osCommerce
Check out my profile [click here] for information on professional services, custom coding, templates, SEO optimization, modifications, commercial support and help.
Check out my profile [click here] for information on professional services, custom coding, templates, SEO optimization, modifications, commercial support and help.
#5
Posted 24 March 2010, 17:47
[quote name='toyicebear' date='23 March 2010 - 07:32 PM' timestamp='1269394345' post='1496201']
If you collect and/or transmit the cc info on your site you will need to be PCI compliant.
Like I said, attempting this compliance is ruining apps on my VPS. What would be my options? I'm thinking I might need to move this one form page off-site and somewhere that is PCI-compliant, but I don't know of services that do this. Authorize.net does have a SIM method that appears to keep everything on their server.
Jeremy
If you collect and/or transmit the cc info on your site you will need to be PCI compliant.
Like I said, attempting this compliance is ruining apps on my VPS. What would be my options? I'm thinking I might need to move this one form page off-site and somewhere that is PCI-compliant, but I don't know of services that do this. Authorize.net does have a SIM method that appears to keep everything on their server.
Jeremy
#6
Posted 24 March 2010, 21:27
Quote
If you collect and/or transmit the cc info on your site you will need to be PCI compliant.
This is even if you use a 3 party processor like authorize.net
This is even if you use a 3 party processor like authorize.net
the 3rd party gateway I mean the 2CO, PayPal (not Pro!), Nochex, as some store do not collect or transmit any information about CC except client info!
Quote
Authorize.Net
Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!
8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.
Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.
Any issues with oscommerce, I am here to help you.
8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.
Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.
Any issues with oscommerce, I am here to help you.
#7
Posted 25 March 2010, 02:34
jeremyschultz, on 24 March 2010, 17:47, said:
Like I said, attempting this compliance is ruining apps on my VPS. What would be my options? I'm thinking I might need to move this one form page off-site and somewhere that is PCI-compliant, but I don't know of services that do this. Authorize.net does have a SIM method that appears to keep everything on their server.
Jeremy
here are some:
2checkout
Nochex
Moneybookers
PayPal Standard ( Not PRO! )
Cre Secure
Basics for osC 2.2 Design - Basics for Design V2.3+ - Seo & Sef Url's - Meta Tags for Your osC Shop - Steps to prevent Fraud... - MS3 and Team News... - SEO, Meta Tags, SEF Urls and osCommerce
Check out my profile [click here] for information on professional services, custom coding, templates, SEO optimization, modifications, commercial support and help.
Check out my profile [click here] for information on professional services, custom coding, templates, SEO optimization, modifications, commercial support and help.
#8
Posted 25 March 2010, 16:48
To summarize it as I understand, if your payment system has you collecting and handling the credit card number or any other sensitive customer financial information, you must be PCI-DSS compliant. This includes all "payment gateway/merchant account" payment systems, as well as PayPal Pro. If you see or touch such information at any point, you have to be compliant (even if you don't store the information, but merely pass it on). On the other hand, if you just "throw it over the wall" to a third party payment system, where they ask for and handle the credit card information, they are the ones who have to be PCI-DSS compliant. If you just hand off the matter of getting payment to PayPal (non-Pro) and other "third party" payment systems, you don't have to be PCI-DSS compliant yourself, as you never see sensitive financial data.
Note that pages collecting or displaying customer personal information, such as address and phone, should be SSL-protected. Customers will be more comfortable handing over such information (and make a purchase) if they see they're at least somewhat protected. It's up to you to adequately protect such personal information once it's on your system, but legal requirements vary by country (US is very lax, while European countries can be quite strict). Finally, sites dealing with medical equipment, medicines, and the like (which give a hint as to customer medical conditions) may come under special rules (e.g., HIPAA in the US) for handling medical data.
Note that pages collecting or displaying customer personal information, such as address and phone, should be SSL-protected. Customers will be more comfortable handing over such information (and make a purchase) if they see they're at least somewhat protected. It's up to you to adequately protect such personal information once it's on your system, but legal requirements vary by country (US is very lax, while European countries can be quite strict). Finally, sites dealing with medical equipment, medicines, and the like (which give a hint as to customer medical conditions) may come under special rules (e.g., HIPAA in the US) for handling medical data.
