> It seems like the client here doesn't have the foggiest idea about > security, and that's a dangerous position for you to be in. Actually > achieving PCI compliance is going to take considerable time and money; > make sure that you document any corners they want you to cut, as > you'll need that if (or when) they get sued for leaking customer info. > It probably wouldn't hurt to have a lawyer do a quick once-over on the > contract to see exactly how much liability you may have if there is a > breach.
I have to admit though as the "developer" I don't know to much about PCI compliance either. This will be my first real "sensitive data" app. So using SSL and other methods is all new to me. Now the 12 PCI DSS Requirements seem pretty straightforward. They are planning on paying for hosting so most of that seems like the kind of thing that would be on the host side. So it sounds more like just finding the right host that follows the guidelines ? Encrypt information in the db. have expirations for sensitive info. use SSL to transfer info and only between the client to the db and the db to the immediate person who needs to deal with the data. Track access to the information. And better then all of that sit down with the client and re-asses the process in hope we can work with api's so the information can go straight to the checks and I won't have to deal with any of the above. But really. If I do go ahead with this. Is there anything else I should look into. I know they don't know much and are more relying on me to have all the security information. Thanks for everyones input. I do know my own limits with developments and if it looks like it is to beyond my ability I have no problem backing out. For both my own and my clients benefit. I just want to make sure I can get a full picture before I pull out/go ahead. thanks, brianp --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
