(Sorry-- originally sent without subject.)

I have a customer who currently has his site set up this way: donors
select (on a non-secure page) the level of donation they want to donate,
provide their name and an attestation, etc. None of the data
confidential. Then they press the button, and we send them off to a
secure payment gateway operated by the merchant service company. They
take down the credit card and other information, clear the transaction,
and pass the approval/disapproval info back to my customer's website. An
email then gets fired to my customer containing all the data about the
transactions EXCEPT the confidential information, like credit card
number, etc.

In essence, my customer is not responsible for any confidential/secure
information, which is all handled by the merchant gateway.

For whatever unknown reason, my customer has been convinced they should
go with a different merchant service company. However, this company
doesn't have the same kind of secure payment pages. (Yes, they're
legitimate, but they're simply a payment processor. They don't have the
additional site to accept manual input of payment information and such.)
I've explained to my customer that, in doing this, he will need:

1) a fixed IP ($)

2) a security certificate ($)

3) an online store (as opposed to a single page he has now)

4) a whole new set of PCI responsibilities which his organization is not
prepared to fulfill. ($)

I'm certain people on this list have set up this type of system for
customers. So I have some questions:

1) Does the usual online store software (osCommerce or whatever) include
"secure" pages for acceptance of credit cards? I know they have the
capability to pass this info securely off to places like authorize.net
for processing.

2) Assuming a customer website, probably hosted in a shared hosting
environment, with appropriate ecommerce store software, how does one
deal with PCI compliance? I mean, the customer would have no control
over the data center where the site is hosted. Moreover, they would
probably have little control over the updating of insecure software, as
demanded by PCI. They likely don't have the facilities to do the type of
penetration testing PCI wants. So how could they (or how do you) deal
with the potentially hundreds of questions the PCI questionnaire asks
about all this stuff? How do you, as a programmer doing this for a
customer, handle this?


Paul M. Foster

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to