[web2py] Re: web2py, stripe, and pci compliance
i did some reading on PCI compliance and it's a quagmire! There are multiple levels of PCI requirements depending on what you do with the data. as best i can tell (without being an expert), a javascript only solution that posts directly to swipe and one where you post data to your server and then to stripe would fall under the exact same category of PCI requirements (the lowest level) some things to note: - i believe that web2py itself can be PCI compliant. the problem is more about how the server is secured then the web2py code itself. - ensure that no matter what no data related to the credit card gets logged - this is easy to do on success, but be careful when there is an error with an auto-generated ticket - don't write and of the credit card info to the DB or memcache - use 2-factor authentication to get to your server - there are a bunch of other requirements for OS and software upgrades and testing. note that to be 100% compliant your particular install and management processes will have to be audited by a 3rd party auditor. good luck! cfh On Sunday, January 13, 2013 11:16:28 AM UTC-8, Massimo Di Pierro wrote: I do not know if it is PCI compliant. The provided code requires that your application handles (although not stores) credit card info. Massimo On Sunday, 13 January 2013 12:16:44 UTC-6, Ragtime AllTime wrote: Hello all, I'm looking into using stripe.com as a payment processor for web2py. It looks like web2py provides a nice and easy way for this, but I am a bit worried about pci compliance. On this site shows an example: http://web2py.com/books/default/chapter/29/14#Stripe.com But no where on the site does it say whether it is pci compliant or not. I would rather not have my server handle any of the customer credit card data. Stripe does provide a nifty stripe.js which enables us to not touch any of that data, but then the form creation and submission will be handled entirely by javascript and not by web2py's nice library. I guess in particular, if I do it just using stripe.js, I don't have to give the form input tags any name. That way, web2py can never grab the data from the dictionary(since I don't know the name of the input tag) that is returned and so the server will never actually touch the data. However, the example link on web2py seems to indicate that this naming is necessary in order to pass the data to the stripe.charge() (since we have to grab the data somehow from the form and feed it to the stripe.charge()). This suggests that the server has the ability to access that data. Could someone clarify this issue? Many thanks! --
[web2py] Re: web2py, stripe, and pci compliance
I studied the PCI specs when I taught a security class years ago. Things may have changed. I too remember that the major issue with PCI compliance was securing the server (keeping everything updated, applying security patches, running latest antivirus and intrusion detection software) and third party auditing. On Monday, 14 January 2013 10:29:00 UTC-6, howesc wrote: i did some reading on PCI compliance and it's a quagmire! There are multiple levels of PCI requirements depending on what you do with the data. as best i can tell (without being an expert), a javascript only solution that posts directly to swipe and one where you post data to your server and then to stripe would fall under the exact same category of PCI requirements (the lowest level) some things to note: - i believe that web2py itself can be PCI compliant. the problem is more about how the server is secured then the web2py code itself. - ensure that no matter what no data related to the credit card gets logged - this is easy to do on success, but be careful when there is an error with an auto-generated ticket - don't write and of the credit card info to the DB or memcache - use 2-factor authentication to get to your server - there are a bunch of other requirements for OS and software upgrades and testing. note that to be 100% compliant your particular install and management processes will have to be audited by a 3rd party auditor. good luck! cfh On Sunday, January 13, 2013 11:16:28 AM UTC-8, Massimo Di Pierro wrote: I do not know if it is PCI compliant. The provided code requires that your application handles (although not stores) credit card info. Massimo On Sunday, 13 January 2013 12:16:44 UTC-6, Ragtime AllTime wrote: Hello all, I'm looking into using stripe.com as a payment processor for web2py. It looks like web2py provides a nice and easy way for this, but I am a bit worried about pci compliance. On this site shows an example: http://web2py.com/books/default/chapter/29/14#Stripe.com But no where on the site does it say whether it is pci compliant or not. I would rather not have my server handle any of the customer credit card data. Stripe does provide a nifty stripe.js which enables us to not touch any of that data, but then the form creation and submission will be handled entirely by javascript and not by web2py's nice library. I guess in particular, if I do it just using stripe.js, I don't have to give the form input tags any name. That way, web2py can never grab the data from the dictionary(since I don't know the name of the input tag) that is returned and so the server will never actually touch the data. However, the example link on web2py seems to indicate that this naming is necessary in order to pass the data to the stripe.charge() (since we have to grab the data somehow from the form and feed it to the stripe.charge()). This suggests that the server has the ability to access that data. Could someone clarify this issue? Many thanks! --
[web2py] Re: web2py, stripe, and pci compliance
If your application handles credit card information, it must be audited for compliance. So it may or may not be compliant, an audit will determine that. What most companies do is avoid the audit by not handling credit card information. If you use authorize.net (as an example) you can use the Server Integration Method where all credit card information is collected by authorize.net and your application gets a postback from authorize.net confirming that a payment was made. http://developer.authorize.net/api/howitworks/sim/ You'd want to read the PCI SAQ (Self Assessment Questionnaire) to determine if an audit is needed. https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs On Sunday, January 13, 2013 12:16:28 PM UTC-7, Massimo Di Pierro wrote: I do not know if it is PCI compliant. The provided code requires that your application handles (although not stores) credit card info. Massimo On Sunday, 13 January 2013 12:16:44 UTC-6, Ragtime AllTime wrote: Hello all, I'm looking into using stripe.com as a payment processor for web2py. It looks like web2py provides a nice and easy way for this, but I am a bit worried about pci compliance. On this site shows an example: http://web2py.com/books/default/chapter/29/14#Stripe.com But no where on the site does it say whether it is pci compliant or not. I would rather not have my server handle any of the customer credit card data. Stripe does provide a nifty stripe.js which enables us to not touch any of that data, but then the form creation and submission will be handled entirely by javascript and not by web2py's nice library. I guess in particular, if I do it just using stripe.js, I don't have to give the form input tags any name. That way, web2py can never grab the data from the dictionary(since I don't know the name of the input tag) that is returned and so the server will never actually touch the data. However, the example link on web2py seems to indicate that this naming is necessary in order to pass the data to the stripe.charge() (since we have to grab the data somehow from the form and feed it to the stripe.charge()). This suggests that the server has the ability to access that data. Could someone clarify this issue? Many thanks! --
[web2py] Re: web2py, stripe, and pci compliance
Also note for stripe... https://stripe.com/us/help/faq#pci-compliance Anyone accepting credit card payments must be PCI compliant—but with Stripe, it's easy: - Serve your payment page over SSL https://stripe.com/help/ssl, i.e., the page's web address should begin with https, not http. - Use Stripe.js https://stripe.com/docs/stripe.js as the only means by which you accept payment information and transmit it directly to Stripe's servers. By taking these steps, you completely avoid handling sensitive card data, and keep your systems out of PCI scope. On Monday, January 14, 2013 11:05:04 AM UTC-7, Derek wrote: If your application handles credit card information, it must be audited for compliance. So it may or may not be compliant, an audit will determine that. What most companies do is avoid the audit by not handling credit card information. If you use authorize.net (as an example) you can use the Server Integration Method where all credit card information is collected by authorize.net and your application gets a postback from authorize.netconfirming that a payment was made. http://developer.authorize.net/api/howitworks/sim/ You'd want to read the PCI SAQ (Self Assessment Questionnaire) to determine if an audit is needed. https://www.pcisecuritystandards.org/security_standards/documents.php?category=saqs On Sunday, January 13, 2013 12:16:28 PM UTC-7, Massimo Di Pierro wrote: I do not know if it is PCI compliant. The provided code requires that your application handles (although not stores) credit card info. Massimo On Sunday, 13 January 2013 12:16:44 UTC-6, Ragtime AllTime wrote: Hello all, I'm looking into using stripe.com as a payment processor for web2py. It looks like web2py provides a nice and easy way for this, but I am a bit worried about pci compliance. On this site shows an example: http://web2py.com/books/default/chapter/29/14#Stripe.com But no where on the site does it say whether it is pci compliant or not. I would rather not have my server handle any of the customer credit card data. Stripe does provide a nifty stripe.js which enables us to not touch any of that data, but then the form creation and submission will be handled entirely by javascript and not by web2py's nice library. I guess in particular, if I do it just using stripe.js, I don't have to give the form input tags any name. That way, web2py can never grab the data from the dictionary(since I don't know the name of the input tag) that is returned and so the server will never actually touch the data. However, the example link on web2py seems to indicate that this naming is necessary in order to pass the data to the stripe.charge() (since we have to grab the data somehow from the form and feed it to the stripe.charge()). This suggests that the server has the ability to access that data. Could someone clarify this issue? Many thanks! --
[web2py] Re: web2py, stripe, and pci compliance
I do not know if it is PCI compliant. The provided code requires that your application handles (although not stores) credit card info. Massimo On Sunday, 13 January 2013 12:16:44 UTC-6, Ragtime AllTime wrote: Hello all, I'm looking into using stripe.com as a payment processor for web2py. It looks like web2py provides a nice and easy way for this, but I am a bit worried about pci compliance. On this site shows an example: http://web2py.com/books/default/chapter/29/14#Stripe.com But no where on the site does it say whether it is pci compliant or not. I would rather not have my server handle any of the customer credit card data. Stripe does provide a nifty stripe.js which enables us to not touch any of that data, but then the form creation and submission will be handled entirely by javascript and not by web2py's nice library. I guess in particular, if I do it just using stripe.js, I don't have to give the form input tags any name. That way, web2py can never grab the data from the dictionary(since I don't know the name of the input tag) that is returned and so the server will never actually touch the data. However, the example link on web2py seems to indicate that this naming is necessary in order to pass the data to the stripe.charge() (since we have to grab the data somehow from the form and feed it to the stripe.charge()). This suggests that the server has the ability to access that data. Could someone clarify this issue? Many thanks! --
