Just wondering if anyone can tell me if the ecommerce module is or will be pci dss compliant?
PCI Compliance is a must have for a payment gateway.
The fact that this question is unanswered worries me.
Have you started looking into whether you are PCI compliant?
Are you guys scanning your base install with NESSUS (because it is free) or any other vulnerability scanning tool?
It's a must for "direct payments" but for "hosted payments" which is what I believe e commerce uses then it is the "hosts" network that needs to be PCI compliant. In other words the e-commerce payment methods direct you away from www.yoursite.com to the www.paymenthost.com site and so you needn't worry about PCI.
Hmmm...maybe that is true, but I disagree for other reasons and due to my companies experience. Also, I agree with you for other reasons too.
Reasons I disagree:
There are other factors. Such as a device must be PCI compliant if it is even on the same subnet or has unrestricted ip access to another device that must be PCI compliant. That is why people segment off their PCI compiant devices from the rest of the network in a DMZ. Some even have two DMZs, a PCI compliant one and a non-PCI compliant one. Others unfortunately can't afford two DMZs so they have to make all devices in the DMZ PCI compliant.
The company I work for has an appliance-based product that sits int he DMZ and had such and overwhelming demand for PCI compliance just so the box could sit in the DMZ, we had to do it.
So some customers will need SilverStripe to be PCI compliant just to allow a web server using it into their DMZ, regardless of whether they are using it for a e-commerce site or not.
Reasons I agree that PCI compliance is not need by SilverStripe themselves:
Now PCI compliancy is not all on SilverStripe. The OS matters, the web server used matters (Apache, Lighttp, nginx), etc... So maybe it is impossible to get PCI compliant because there are so many other factors outside of SilverStripe control.
I think that SilverStripe would get some big bang for the buck if they created an appliance server that SilverStripe.com sold.
PF to nat to jails
webserver in a jail
- Apache, lighttpd, or nginx
Postgresql in a separate jail
Then they could get this appliance certified as PCI compliant. That way, at least there would be a known configuration that is PCI Compliant and I think the appliance would sell to businesses like hot cakes.
"Such as a device must be PCI compliant if it is even on the same subnet or has unrestricted ip access to another device that must be PCI compliant"
So for hosted payments where you only get secure access (which is why they can be a real pain to integrate) you don't need to be PCI because you are accessing the PCI compliant site securely - you never have the opportunity of getting the credit card details.
But yes if they hold credit card details on the same server then the server will need to be checked - but then people will already deal with that and it really isn't anything to do with e commerce module here.