[Phpwm] PCI DSS security standard

David Goodwin david at codepoets.co.uk
Thu Mar 27 10:54:38 GMT 2008

Hash: SHA1

alan dunn wrote:
| We wonder if others in the group are familiar with the 'Payment Card
| Industry Data Security Standard' and if so does anyone have any
| experience of being audited or gaining compliance certification for any
| customer apps they are hosting?

No; however a friend of mine wrote a fairly good article in Linux USer
and Developer some months ago covering the various aspects that need to
be 'covered' and how this can be done using Linux+FLOSS stuff.

Some of the things were (from memory) along the lines of "the database
can't be connected directly to the internet"

If you're interested, I'll try and hassle him and see if he can/will
make the original text to the article available somehow.

| Here is a direct quote from our client's email "all companies which
| handle credit card data must be PCI DSS compliant by the end of March.
| This is the Payment Card Industry Data Security Standard which all
| companies have to comply with. It’s all really technical but the main
| point is that if you are not compliant then the responsibility for any
| fraud sits you with you and not with the banks"
| Here is a link: http://www.itgovernance.co.uk/pci_dss.aspx
| The issue of 'responsibility for fraud' certainly raises some
| interesting contractual questions about the consequences of hosting
| customer data - especially credit card data.

Yes it does.
But, I think it's a necessary step to ensure that people's data isn't
lost. If it happens to make web site operators think about the security
of their application, then all the better.


- --
David Goodwin

[ david at codepoets dot co dot uk ]
[ http://www.codepoets.co.uk       ]
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Phpwm mailing list