[Phpwm] Sagepay Direct integration - PCI Compliance

Dave Holmes dave at neteffekt.co.uk
Fri Nov 6 17:08:01 UTC 2009


PCI compliance depends on the volume of transactions and you have to be
doing serious volume to get out of level 1 compliance which is a scan
and self certification questionnaire.

The scan will hit your system for now exploits or vulnerabilities and
provided a report of what you need to fix, we managed to secure our
platform once so all of our clients pass. The only thing it found for us
was one injection issue on a contact form and the fact that our load
balancer was supporting SSL2 and weak ciphers which was easy enough to
resolve.

I understand that this is not compulsory but failure to implement can
result in the cancellation of you card processing rights in the event of
fraud - so for the sake of £120 per year per merchant and a bit of work
to the e-commerce platform essesntial


Andy Cowan wrote:
> Several issues/experiences spring to mind:
>
> 1. AFAIR PCI compliance is not the compulsory thing it's being made
> out to be much of the time - effectively it's a liability shift, like
> with chip and pin, and a revenue earning opportunity, as the card
> companies push merchant to people to security testers like
> SecurityMetrics for compliance. In all the cases that we've dealt with
> so far, badly informed bank sales staff have scared our merchants into
> paying for Security Metrics when they really didn't need it. Worldpay
> have issues of their own, just look at the security issues they've had
> this year...
>
> 2. However, despite this, it's not that hard to acheive PCI compliance
> - depnding on whether you run your own servers (dedicated or VPS) or
> whether your host bothers with it. It can however be a pain with some
> OS' - Windows/Centos/Redhat sping to mind (for entirely different
> reasons). We have to ensure all our servers are PCI compliant and once
> they are compliant, keeping them there isn't too much of a chore.
>
> 3. There are easy ways round if you want to play the system - I know
> of at least one customer who is compliant because what is actually
> being scanned in the load balancer in front of his windows machines,
> not the servers themselves. Not strictly within the spirit, but
> definitely passes SecurityMetrics scans..
>
> I think that your analysis that they are going to push e-commerce into
> a tighter and tighter corner is probably correct, but I think then
> that the onus on providing that 'corner' is going to fall on the
> hosting companies - I imagine that if I was to offer PCI compliant
> hosting, you'd be interested in having me deal with that for you? It's
> a function of the hosting environment I think...
>
> A.
>
> On 06/11/2009 16:21, Bronwen Reid wrote:
>> Hello,
>>
>> Andy's right - integration with Sagepay direct is fairly okay, and
>> the online examples are useful.
>>
>> However, something I've been looking at recently is PCI DSS
>> compliance.  Sagepay mention this, but don't emphasis it; Worldpay
>> ask for a Payment Card Industry Data Security (PCI DSS) Vulnerability
>> Scan before they let people use the XML direct transfers (their
>> equivalent of the sagepay direct model)
>>
>> But I think PCI compliance going to become more and more of an issue
>> - credit card companies are making great efforts to tighten up on
>> security and this seems to involve pushing e-commerce into a very
>> restrictive environment where solutions like paypal or google
>> checkout will be the norm.
>>
>> Has anyone got any experiences here, good or bad?
>>
>>
>>
>> Gavin Kimpson wrote:
>>> Hi Guys,
>>>
>>> I've done Sagepay integrations in the past with no issues but these
>>> have usually been using the more simple 'Form' approach, however this
>>> time I would like to build an integration with Sagepay Direct. Does
>>> anyone know of any pre-built classes that perform Sagepay Direct
>>> integration as I'd prefer to not use an entire pre-built eCommerce
>>> system like Magento.
>>>
>>> Thanks in advance
>>>
>>> _______________________________________________
>>> Phpwm mailing list
>>> Website : http://www.phpwm.org
>>> Twitter : http://www.twitter.com/phpwm
>>> Facebook: http://www.facebook.com/group.php?gid=2361609907
>>>
>>> Post to list: Phpwm at mailman.lug.org.uk
>>> Archive etc : https://mailman.lug.org.uk/mailman/listinfo/phpwm
>>>
>>>   
>>
>> -- 
>> Bronwen Reid, 
>>
>>
>> _______________________________________________
>> Phpwm mailing list
>> Website : http://www.phpwm.org
>> Twitter : http://www.twitter.com/phpwm
>> Facebook: http://www.facebook.com/group.php?gid=2361609907
>>
>> Post to list: Phpwm at mailman.lug.org.uk
>> Archive etc : https://mailman.lug.org.uk/mailman/listinfo/phpwm
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Phpwm mailing list
> Website : http://www.phpwm.org
> Twitter : http://www.twitter.com/phpwm
> Facebook: http://www.facebook.com/group.php?gid=2361609907
>
> Post to list: Phpwm at mailman.lug.org.uk
> Archive etc : https://mailman.lug.org.uk/mailman/listinfo/phpwm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/phpwm/attachments/20091106/50ff94bc/attachment-0001.htm 


More information about the Phpwm mailing list