From: Paul M Foster > I'm certain people on this list have set up this type of system for > customers. So I have some questions: > > 1) Does the usual online store software (osCommerce or whatever) include > "secure" pages for acceptance of credit cards? I know they have the > capability to pass this info securely off to places like authorize.net > for processing. > > 2) Assuming a customer website, probably hosted in a shared hosting > environment, with appropriate ecommerce store software, how does one > deal with PCI compliance? I mean, the customer would have no control > over the data center where the site is hosted. Moreover, they would > probably have little control over the updating of insecure software, as > demanded by PCI. They likely don't have the facilities to do the type of > penetration testing PCI wants. So how could they (or how do you) deal > with the potentially hundreds of questions the PCI questionnaire asks > about all this stuff? How do you, as a programmer doing this for a > customer, handle this?
1) No. 2) PCI compliance is neither simple nor cheap. If you have not done it before, hire a consultant that has and have them train you. You will also need annual refresher courses and a good auditor to validate your site every month. You will need to change data centers, as you need one that is PCI compliant for the pages that will handle protected information. There are requirements for physical security of those servers as well as the software that runs on them. You also have a choice of maintaining your own servers or finding a managed hosting service that will maintain them for you. One of the requirements is that you must maintain separate servers for development and testing. You also need to establish a formal development, test and deployment process. The developers are not allowed to have any access to the production servers. We have four sets, development, QA test, User Acceptance Test and production. The latter two are exposed to the Internet, while the first two are internal only. We have several sites that are now PCI compliant. It took us eight months after the decision to get the first one online and certified. Most of that was training and waiting for the audits and certification, as we nearly passed the initial validation on the first try. But we had to change hosting providers twice to find one that we were comfortable with. After that is all said and done, keep in mind that the primary purpose of the PCI requirements is to mitigate the financial liability of the credit card issuers. If anything goes wrong at your end that exposes privileged data, you will be financially responsible for the damages. So make sure you go above and beyond those requirements to protect yourself. Bob McConnell -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
