Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

E-Commerce Modules

Discuss about the various e-commerce modules available:
Ecommerce, SS Shop, SilverCart and SwipeStripe
Alternatively, have a look the shared mailinglist.

Moderators: martimiz, Nicolaas, Sean, frankmullenger, biapar, Willr, Ingo, Jedateach, swaiba, simon_w

PCI - DSS Compliant


Reply

5 Posts   1870 Views

Avatar
chrisdarl

28 June 2009 at 6:28am Community Member, 33 Posts

Just wondering if anyone can tell me if the ecommerce module is or will be pci dss compliant?

Avatar
Rhyous

29 October 2010 at 9:33am Community Member, 7 Posts

PCI Compliance is a must have for a payment gateway.

The fact that this question is unanswered worries me.

Have you started looking into whether you are PCI compliant?

Are you guys scanning your base install with [url=http://www.nessus.org/nessus/]NESSUS[/url] (because it is free) or any other vulnerability scanning tool?

Avatar
swaiba

29 October 2010 at 11:06pm Forum Moderator, 1796 Posts

It's a must for "direct payments" but for "hosted payments" which is what I believe e commerce uses then it is the "hosts" network that needs to be PCI compliant. In other words the e-commerce payment methods direct you away from www.yoursite.com to the www.paymenthost.com site and so you needn't worry about PCI.

Avatar
Rhyous

30 October 2010 at 2:46am Community Member, 7 Posts

Hmmm...maybe that is true, but I disagree for other reasons and due to my companies experience. Also, I agree with you for other reasons too.

Reasons I disagree:

There are other factors. Such as a device must be PCI compliant if it is even on the same subnet or has unrestricted ip access to another device that must be PCI compliant. That is why people segment off their PCI compiant devices from the rest of the network in a DMZ. Some even have two DMZs, a PCI compliant one and a non-PCI compliant one. Others unfortunately can't afford two DMZs so they have to make all devices in the DMZ PCI compliant.

The company I work for has an appliance-based product that sits int he DMZ and had such and overwhelming demand for PCI compliance just so the box could sit in the DMZ, we had to do it.

So some customers will need SilverStripe to be PCI compliant just to allow a web server using it into their DMZ, regardless of whether they are using it for a e-commerce site or not.

Reasons I agree that PCI compliance is not need by SilverStripe themselves:

Now PCI compliancy is not all on SilverStripe. The OS matters, the web server used matters (Apache, Lighttp, nginx), etc... So maybe it is impossible to get PCI compliant because there are so many other factors outside of SilverStripe control.

I think that SilverStripe would get some big bang for the buck if they created an appliance server that SilverStripe.com sold.

FreeBSD OS
PF to nat to jails
webserver in a jail
- Apache, lighttpd, or nginx
- PHP
- SilverStripe
Postgresql in a separate jail

Then they could get this appliance certified as PCI compliant. That way, at least there would be a known configuration that is PCI Compliant and I think the appliance would sell to businesses like hot cakes.

Avatar
swaiba

30 October 2010 at 3:42am (Last edited: 30 October 2010 3:44am), Forum Moderator, 1796 Posts

"Such as a device must be PCI compliant if it is even on the same subnet or has unrestricted ip access to another device that must be PCI compliant"

So for hosted payments where you only get secure access (which is why they can be a real pain to integrate) you don't need to be PCI because you are accessing the PCI compliant site securely - you never have the opportunity of getting the credit card details.

But yes if they hold credit card details on the same server then the server will need to be checked - but then people will already deal with that and it really isn't anything to do with e commerce module here.