You are correct at this time banks are requiring a scan from their provider and filling out a form. Your also correct that it is being lobbied in the Congress but Congress is favoring even heavier restrictions. http://chuvakin.blogspot.com/2009/04/thoughts-and-notes-from-pci-dss-hearing.html
here are some links that may help. http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html http://www.pcicomplianceguide.org/pcifaqs.php#2 https://www.pcisecuritystandards.org/security_standards/vpa/ David E Jones sent the following on 6/5/2009 4:13 AM: > > This isn't necessarily true. I'm not a lawyer, and I haven't read all of > the docs... only a few articles on the topic, and I'm not even sure what > is finalized at this point since a lot of these things seem to be > tentative policies that aren't fleshed out yet. > > There are always alternatives. This might cause certain retailers to not > accept certain credit cards, for example (like only accepting AmEx and > Discover and such since it is mainly Visa and MasterCard that are behind > a lot of these things). Another likely thing is that in the future, just > like now, the requirements vary depending on your transaction volume. > Chances are the requirement you're alluding to won't kick in for the > majority of OFBiz users... most of whom are probably in the transaction > volume range where only a self-evaluation for PCI compliance (ie just > filling out a form) is required. > > -David > > > On Jun 5, 2009, at 4:58 AM, BJ Freeman wrote: > >> as of July 2010 this will be a mute point. >> the only payments systems that ofbiz can use will be Paypal IPN or >> Google checkout by default. >> >> the only way that ofbiz can be used with any other gateway and Visa CC, >> is when a company takes the ofbiz code and makes it their own and >> becomes responsible for the Certification. Certification currently is >> quoted as $100,000. >> >> Based on the certification process I think any effort should be how >> ofbiz will pass the certification. >> >> >> Scott Gray sent the following on 6/4/2009 10:59 PM: >>> Hi All, >>> >>> I plan to add a configuration option to clear credit card data once >>> there are no more auths pending against it. When I say clear the data I >>> mean remove the expiry date and credit card number except for the last 4 >>> digits. >>> >>> Any thoughts on where this should be configurable/how it should be >>> implemented? I think the card clearing logic may have to be specific to >>> the gateway being used, e.g. authorize.net needs you to keep the last 4 >>> digits for refunds but others may not. >>> I'm thinking perhaps I could add a new product store payment service >>> type enumeration record, something like PRDS_PAY_CLEAR_DATA and the >>> defined service would run after the capture and release services. >>> >>> Recurring billing is the other thing I'm not sure about, I guess I'd >>> need to leave the card data alone in that case but I've never worked >>> with recurring payments so I'm not sure how I would detect if the card >>> is being used for them. >>> >>> Any thoughts would be appreciated. >>> >>> Thanks >>> Scott >>> >>> HotWax Media >>> http://www.hotwaxmedia.com >> >> -- >> BJ Freeman >> http://www.businessesnetwork.com/automation >> http://bjfreeman.elance.com >> http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro >> >> Systems Integrator. >> > > -- BJ Freeman http://www.businessesnetwork.com/automation http://bjfreeman.elance.com http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro Systems Integrator.
