[Phpwm] PCI DSS security standard

[David Goodwin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

alan dunn wrote:
| We wonder if others in the group are familiar with the 'Payment Card
| Industry Data Security Standard' and if so does anyone have any
| experience of being audited or gaining compliance certification for any
| customer apps they are hosting?

No; however a friend of mine wrote a fairly good article in Linux USer
and Developer some months ago covering the various aspects that need to
be 'covered' and how this can be done using Linux+FLOSS stuff.

Some of the things were (from memory) along the lines of "the database
can't be connected directly to the internet"

If you're interested, I'll try and hassle him and see if he can/will
make the original text to the article available somehow.


| Here is a direct quote from our client's email "all companies which
| handle credit card data must be PCI DSS compliant by the end of March.
| This is the Payment Card Industry Data Security Standard which all
| companies have to comply with. It’s all really technical but the main
| point is that if you are not compliant then the responsibility for any
| fraud sits you with you and not with the banks"
|
| Here is a link: http://www.itgovernance.co.uk/pci_dss.aspx
|
| The issue of 'responsibility for fraud' certainly raises some
| interesting contractual questions about the consequences of hosting
| customer data - especially credit card data.

Yes it does.
But, I think it's a necessary step to ensure that people's data isn't
lost. If it happens to make web site operators think about the security
of their application, then all the better.


Thanks
David.

- --
David Goodwin

[ david at codepoets dot co dot uk ]
[ http://www.codepoets.co.uk       ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH63zp/ISo3RF5V6YRAkh9AJ9H5zmisf/p4hd9z0Gbp8E+nNncYQCg31A3
3nIfjCiW+4K4JrdsMYMOVRU=
=rCkj
-----END PGP SIGNATURE-----