Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

E-Commerce Modules /

Discuss about the various e-commerce modules available:
Ecommerce, SS Shop, SilverCart and SwipeStripe
Alternatively, have a look the shared mailinglist.

Moderators: martimiz, Nicolaas, Sean, Ed, frankmullenger, biapar, Willr, Ingo, Jedateach, swaiba

PCI - DSS Compliant

Go to End

5 Posts   2440 Views


Community Member, 33 Posts

28 June 2009 at 6:28am

Just wondering if anyone can tell me if the ecommerce module is or will be pci dss compliant?


Community Member, 7 Posts

29 October 2010 at 9:33am

PCI Compliance is a must have for a payment gateway.

The fact that this question is unanswered worries me.

Have you started looking into whether you are PCI compliant?

Are you guys scanning your base install with NESSUS (because it is free) or any other vulnerability scanning tool?


Forum Moderator, 1899 Posts

29 October 2010 at 11:06pm

It's a must for "direct payments" but for "hosted payments" which is what I believe e commerce uses then it is the "hosts" network that needs to be PCI compliant. In other words the e-commerce payment methods direct you away from to the site and so you needn't worry about PCI.


Community Member, 7 Posts

30 October 2010 at 2:46am

Hmmm...maybe that is true, but I disagree for other reasons and due to my companies experience. Also, I agree with you for other reasons too.

Reasons I disagree:

There are other factors. Such as a device must be PCI compliant if it is even on the same subnet or has unrestricted ip access to another device that must be PCI compliant. That is why people segment off their PCI compiant devices from the rest of the network in a DMZ. Some even have two DMZs, a PCI compliant one and a non-PCI compliant one. Others unfortunately can't afford two DMZs so they have to make all devices in the DMZ PCI compliant.

The company I work for has an appliance-based product that sits int he DMZ and had such and overwhelming demand for PCI compliance just so the box could sit in the DMZ, we had to do it.

So some customers will need SilverStripe to be PCI compliant just to allow a web server using it into their DMZ, regardless of whether they are using it for a e-commerce site or not.

Reasons I agree that PCI compliance is not need by SilverStripe themselves:

Now PCI compliancy is not all on SilverStripe. The OS matters, the web server used matters (Apache, Lighttp, nginx), etc... So maybe it is impossible to get PCI compliant because there are so many other factors outside of SilverStripe control.

I think that SilverStripe would get some big bang for the buck if they created an appliance server that sold.

PF to nat to jails
webserver in a jail
- Apache, lighttpd, or nginx
- SilverStripe
Postgresql in a separate jail

Then they could get this appliance certified as PCI compliant. That way, at least there would be a known configuration that is PCI Compliant and I think the appliance would sell to businesses like hot cakes.


Forum Moderator, 1899 Posts

30 October 2010 at 3:42am

Edited: 30/10/2010 3:44am

"Such as a device must be PCI compliant if it is even on the same subnet or has unrestricted ip access to another device that must be PCI compliant"

So for hosted payments where you only get secure access (which is why they can be a real pain to integrate) you don't need to be PCI because you are accessing the PCI compliant site securely - you never have the opportunity of getting the credit card details.

But yes if they hold credit card details on the same server then the server will need to be checked - but then people will already deal with that and it really isn't anything to do with e commerce module here.