[Phpwm] Sagepay Direct integration - PCI Compliance

Mon Nov 9 02:55:27 UTC 2009

Hi Dave, Andy,

Some very useful & helpful comments there which put things in
perspective somewhat - thank-you.

I don't run my own servers, but the webhosting company with whom I'm
working will bend over, if not backwards, at least sideways to help. 

B.

Dave Holmes wrote:
>
> PCI compliance depends on the volume of transactions and you have to
> be doing serious volume to get out of level 1 compliance which is a
> scan and self certification questionnaire.
>
> The scan will hit your system for now exploits or vulnerabilities and
> provided a report of what you need to fix, we managed to secure our
> platform once so all of our clients pass. The only thing it found for
> us was one injection issue on a contact form and the fact that our
> load balancer was supporting SSL2 and weak ciphers which was easy
> enough to resolve.
>
> I understand that this is not compulsory but failure to implement can
> result in the cancellation of you card processing rights in the event
> of fraud - so for the sake of £120 per year per merchant and a bit of
> work to the e-commerce platform essesntial
>
>
> Andy Cowan wrote:
>> Several issues/experiences spring to mind:
>>
>> 1. AFAIR PCI compliance is not the compulsory thing it's being made
>> out to be much of the time - effectively it's a liability shift, like
>> with chip and pin, and a revenue earning opportunity, as the card
>> companies push merchant to people to security testers like
>> SecurityMetrics for compliance. In all the cases that we've dealt
>> with so far, badly informed bank sales staff have scared our
>> merchants into paying for Security Metrics when they really didn't
>> need it. Worldpay have issues of their own, just look at the security
>> issues they've had this year...
>>
>> 2. However, despite this, it's not that hard to acheive PCI
>> compliance - depnding on whether you run your own servers (dedicated
>> or VPS) or whether your host bothers with it. It can however be a
>> pain with some OS' - Windows/Centos/Redhat sping to mind (for
>> entirely different reasons). We have to ensure all our servers are
>> PCI compliant and once they are compliant, keeping them there isn't
>> too much of a chore.
>>
>> 3. There are easy ways round if you want to play the system - I know
>> of at least one customer who is compliant because what is actually
>> being scanned in the load balancer in front of his windows machines,
>> not the servers themselves. Not strictly within the spirit, but
>> definitely passes SecurityMetrics scans..
>>
>> I think that your analysis that they are going to push e-commerce
>> into a tighter and tighter corner is probably correct, but I think
>> then that the onus on providing that 'corner' is going to fall on the
>> hosting companies - I imagine that if I was to offer PCI compliant
>> hosting, you'd be interested in having me deal with that for you?
>> It's a function of the hosting environment I think...
>>
>> A.
>>
>> On 06/11/2009 16:21, Bronwen Reid wrote:
>>> Hello,
>>>
>>> Andy's right - integration with Sagepay direct is fairly okay, and
>>> the online examples are useful.
>>>
>>> However, something I've been looking at recently is PCI DSS
>>> compliance.  Sagepay mention this, but don't emphasis it; Worldpay
>>> ask for a Payment Card Industry Data Security (PCI DSS)
>>> Vulnerability Scan before they let people use the XML direct
>>> transfers (their equivalent of the sagepay direct model)
>>>
>>> But I think PCI compliance going to become more and more of an issue
>>> - credit card companies are making great efforts to tighten up on
>>> security and this seems to involve pushing e-commerce into a very
>>> restrictive environment where solutions like paypal or google
>>> checkout will be the norm.
>>>
>>> Has anyone got any experiences here, good or bad?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/phpwm/attachments/20091109/d4fa52ad/attachment.htm 