Yozons, I think we are actually on-topic here. PCI Compliance is something that every application must deal with. Because of the hybrid nature of GWT applications, there are certain challenges that are unique to the platform.
I think you might be misunderstanding the problem with PCI Compliance, especially from a GWT standpoint. It is not possible to connect a GWT Widget (such as a payment form) directly to an external payment processor through RPC due to the cross-domain security policies of the browser. These requests must be routed through the hosting server. Because the payment details touch the server, the application must conform to PCI guidelines. When the credit card data touches the server-side service, you are immediately subjected to SAQ-C (at least). The overview in your post is extremely high level without the specific requirements for compliance. I've included a link to the full PCI-DSS and SAQ below. While a vast majority of the SAQ-C requirements focus on server software implementation, Section 9 of the PCI-DSS lays out a number of PHYSICAL requirements that must followed at the data center level. Hosting your application at a PCI-Compliant data center is extremely expensive; furthermore, cloud-based environments such as EC2 or Google App Engine are, by nature, not PCI Compliant. CRE Secure aims to eliminate the entire PCI Compliance variable by collecting and processing the payment data in our hosted environment, all while maintaining the customer experience on your site. If you'd like to see a demo of our solution working in a GWT application, please drop me an email. Thanks, Evan [email protected] SAQ-C : https://www.pcisecuritystandards.org/saq/docs/aoc_saq_c.doc PCI-DSS: https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html On Mon, Nov 16, 2009 at 4:01 PM, Yozons Support on Gmail <[email protected]>wrote: > This has gone off-topic, so I won't belabor my point, but the PCI > principles clearly show it's more geared towards the server-side, as the > browser itself never had to be "PCI compliant" or any such rubbish. And no > GWT interface tool can ensure PCI compliance either. A server that has gone > through the compliance analysis is key, so if that part is taken over with > the GWT interface, then I surely understand that. > > The core of the PCI DSS is a group of principles and accompanying > requirements, around which the specific elements of the DSS are organized: > > *Build and Maintain a Secure Network* > > *Requirement 1:* Install and maintain a firewall configuration to protect > cardholder data > *Requirement 2:* Do not use vendor-supplied defaults for system passwords > and other security parameters > > *Protect Cardholder Data* > > *Requirement 3:* Protect stored cardholder data > *Requirement 4:* Encrypt transmission of cardholder data across open, > public networks > > *Maintain a Vulnerability Management Program* > > *Requirement 5:* Use and regularly update anti-virus software > *Requirement 6:* Develop and maintain secure systems and applications > > *Implement Strong Access Control Measures* > > *Requirement 7:* Restrict access to cardholder data by business > need-to-know > *Requirement 8:* Assign a unique ID to each person with computer access > *Requirement 9:* Restrict physical access to cardholder data > > *Regularly Monitor and Test Networks* > > *Requirement 10:* Track and monitor all access to network resources and > cardholder data > *Requirement 11:* Regularly test security systems and processes > > *Maintain an Information Security Policy* > > *Requirement 12:* Maintain a policy that addresses information security > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<google-web-toolkit%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=. > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=.
