Jump to:

2082 Posts in 1002 Topics by 452 members

E-Commerce Modules

SilverStripe Forums » E-Commerce Modules » PCI - DSS Compliant

Discuss about the various e-commerce modules available:
Ecommerce, SS Shop, SilverCart and SwipeStripe
Alternatively, have a look the shared mailinglist.

Moderators: martimiz, Nicolaas, Sean, frankmullenger, biapar, Willr, Ingo, Jedateach, swaiba, simon_w

Page: 1
Go to End
Author Topic: 1834 Views
  • chrisdarl
    Avatar
    Community Member
    33 Posts

    PCI - DSS Compliant Link to this post

    Just wondering if anyone can tell me if the ecommerce module is or will be pci dss compliant?

  • Rhyous
    Avatar
    Community Member
    7 Posts

    Re: PCI - DSS Compliant Link to this post

    PCI Compliance is a must have for a payment gateway.

    The fact that this question is unanswered worries me.

    Have you started looking into whether you are PCI compliant?

    Are you guys scanning your base install with NESSUS (because it is free) or any other vulnerability scanning tool?

  • swaiba
    Avatar
    Forum Moderator
    1784 Posts

    Re: PCI - DSS Compliant Link to this post

    It's a must for "direct payments" but for "hosted payments" which is what I believe e commerce uses then it is the "hosts" network that needs to be PCI compliant. In other words the e-commerce payment methods direct you away from www.yoursite.com to the www.paymenthost.com site and so you needn't worry about PCI.

  • Rhyous
    Avatar
    Community Member
    7 Posts

    Re: PCI - DSS Compliant Link to this post

    Hmmm...maybe that is true, but I disagree for other reasons and due to my companies experience. Also, I agree with you for other reasons too.

    Reasons I disagree:

    There are other factors. Such as a device must be PCI compliant if it is even on the same subnet or has unrestricted ip access to another device that must be PCI compliant. That is why people segment off their PCI compiant devices from the rest of the network in a DMZ. Some even have two DMZs, a PCI compliant one and a non-PCI compliant one. Others unfortunately can't afford two DMZs so they have to make all devices in the DMZ PCI compliant.

    The company I work for has an appliance-based product that sits int he DMZ and had such and overwhelming demand for PCI compliance just so the box could sit in the DMZ, we had to do it.

    So some customers will need SilverStripe to be PCI compliant just to allow a web server using it into their DMZ, regardless of whether they are using it for a e-commerce site or not.

    Reasons I agree that PCI compliance is not need by SilverStripe themselves:

    Now PCI compliancy is not all on SilverStripe. The OS matters, the web server used matters (Apache, Lighttp, nginx), etc... So maybe it is impossible to get PCI compliant because there are so many other factors outside of SilverStripe control.

    I think that SilverStripe would get some big bang for the buck if they created an appliance server that SilverStripe.com sold.

    FreeBSD OS
    PF to nat to jails
    webserver in a jail
    - Apache, lighttpd, or nginx
    - PHP
    - SilverStripe
    Postgresql in a separate jail

    Then they could get this appliance certified as PCI compliant. That way, at least there would be a known configuration that is PCI Compliant and I think the appliance would sell to businesses like hot cakes.

  • swaiba
    Avatar
    Forum Moderator
    1784 Posts

    Re: PCI - DSS Compliant Link to this post

    "Such as a device must be PCI compliant if it is even on the same subnet or has unrestricted ip access to another device that must be PCI compliant"

    So for hosted payments where you only get secure access (which is why they can be a real pain to integrate) you don't need to be PCI because you are accessing the PCI compliant site securely - you never have the opportunity of getting the credit card details.

    But yes if they hold credit card details on the same server then the server will need to be checked - but then people will already deal with that and it really isn't anything to do with e commerce module here.

    1834 Views
Page: 1
Go to Top

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.