[Phpwm] PCI DSS security standard

Phil Beynon phil at infolinkelectronics.co.uk
Thu Mar 27 18:42:14 GMT 2008

 > alan dunn wrote:
> | We wonder if others in the group are familiar with the 'Payment Card
> | Industry Data Security Standard' and if so does anyone have any
> | experience of being audited or gaining compliance certification for any
> | customer apps they are hosting?
> No; however a friend of mine wrote a fairly good article in Linux USer
> and Developer some months ago covering the various aspects that need to
> be 'covered' and how this can be done using Linux+FLOSS stuff.
> Some of the things were (from memory) along the lines of "the database
> can't be connected directly to the internet"
> If you're interested, I'll try and hassle him and see if he can/will
> make the original text to the article available somehow.
> | Here is a direct quote from our client's email "all companies which
> | handle credit card data must be PCI DSS compliant by the end of March.
> | This is the Payment Card Industry Data Security Standard which all
> | companies have to comply with. It’s all really technical but the main
> | point is that if you are not compliant then the responsibility for any
> | fraud sits you with you and not with the banks"
> |
> | Here is a link: http://www.itgovernance.co.uk/pci_dss.aspx
> |
> | The issue of 'responsibility for fraud' certainly raises some
> | interesting contractual questions about the consequences of hosting
> | customer data - especially credit card data.
> Yes it does.
> But, I think it's a necessary step to ensure that people's data isn't
> lost. If it happens to make web site operators think about the security
> of their application, then all the better.
> Thanks
> David.

This is something I am actively involved with for hosted customers.
I am writing up a list of flaws in their procedures and am just about to 
tell securitymetrics what a load of bollocks their testing process actually 
is. They don't seem to have any comprehension that a site can be siting on 
shared hosting for one thing.
Everytime I get anywhere near actual compliance all that happens is they 
move the goalposts yet again and fail a whole load of new items, including 
now the latest release of Actinic Catalog software.
If its something you are working towards as well I'd be interested to see 
how you were getting past various hurdles.


More information about the Phpwm mailing list