By: Jason

Jason — Fri, 19 Feb 2010 18:23:02 +0000

Thanks for your comments Mike. I know where you are coming from and it is going to make things tough on the Mom-and-Pop operations. Spoke to someone today and he is going to have his site one place and his checkout another, just to comply with PCI. Not ideal, but it kind of makes sense. I perceive that PCI compliant checkout services are going to take off if the credit card companies actually crack down on this. It is just such a wide field, there is no way they are going to be able to check everyone. I’m sure they’ll be looking for key players to go after and hope that media coverage scares everyone else to take action. I also agree that nit picky details are not nearly as important as overall best practices. For instance not storing credit card data at all in your database pretty much eliminates the need for a large portion of the requirements. If you simply send things to Authorize.net you need to make sure: 1) data is encrypted from the browser to the cart to Auth.net, 2) the system is secure enough that no one messes with the cart code to record this information through that authorization process.

By: Mike

Mike — Thu, 18 Feb 2010 13:24:16 +0000

PCI compliance is such a joke. And an annoying one at that. Some of the PCI Compliance reports we’ve gotten back from clients’ banks have things like “Your server is running version 5.2.0 of PHP, and there’s a known bug in that version. You must upgrade to version 5.2.1″ They don’t bother to check that the bug they mention would be impossible to exploit in the site’s code, but I don’t think they bother to check much of anything… So for clients in a shared hosting environment, where PHP version upgrades are impossible, you now have a huge problem. Most Mom-and-Pop eCommerce stores simply can’t afford the hosting requirements or the work involved in getting their sites to match up with these ambiguous requirements. Okay, rant over.

Comments on: PCI Compliance Required Soon

By: Jason

By: Mike