This isn't necessarily true. I'm not a lawyer, and I haven't read all
of the docs... only a few articles on the topic, and I'm not even sure
what is finalized at this point since a lot of these things seem to be
tentative policies that aren't fleshed out yet.
There are always alternatives. This might cause certain retailers to
not accept certain credit cards, for example (like only accepting AmEx
and Discover and such since it is mainly Visa and MasterCard that are
behind a lot of these things). Another likely thing is that in the
future, just like now, the requirements vary depending on your
transaction volume. Chances are the requirement you're alluding to
won't kick in for the majority of OFBiz users... most of whom are
probably in the transaction volume range where only a self-evaluation
for PCI compliance (ie just filling out a form) is required.
-David
On Jun 5, 2009, at 4:58 AM, BJ Freeman wrote:
as of July 2010 this will be a mute point.
the only payments systems that ofbiz can use will be Paypal IPN or
Google checkout by default.
the only way that ofbiz can be used with any other gateway and Visa
CC,
is when a company takes the ofbiz code and makes it their own and
becomes responsible for the Certification. Certification currently is
quoted as $100,000.
Based on the certification process I think any effort should be how
ofbiz will pass the certification.
Scott Gray sent the following on 6/4/2009 10:59 PM:
Hi All,
I plan to add a configuration option to clear credit card data once
there are no more auths pending against it. When I say clear the
data I
mean remove the expiry date and credit card number except for the
last 4
digits.
Any thoughts on where this should be configurable/how it should be
implemented? I think the card clearing logic may have to be
specific to
the gateway being used, e.g. authorize.net needs you to keep the
last 4
digits for refunds but others may not.
I'm thinking perhaps I could add a new product store payment service
type enumeration record, something like PRDS_PAY_CLEAR_DATA and the
defined service would run after the capture and release services.
Recurring billing is the other thing I'm not sure about, I guess I'd
need to leave the card data alone in that case but I've never worked
with recurring payments so I'm not sure how I would detect if the
card
is being used for them.
Any thoughts would be appreciated.
Thanks
Scott
HotWax Media
http://www.hotwaxmedia.com
--
BJ Freeman
http://www.businessesnetwork.com/automation
http://bjfreeman.elance.com
http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro
Systems Integrator.
