osCmax v2.5 RC1 Released - Discussion Thread

[norman]

I have not seen any discussion about PCI compliance. Seems this should be important to anybody planning to use osCMax on a real, live site.

Norman

[pgmarshall]

http://www.oscmax.com/forums/oscmax-...ompliance.html

http://www.oscmax.com/forums/oscmax-...ompliance.html

https://www.paypal.com/pcicompliance

PCI compliance is only important if you storing client data on your site - eg. credit card details, etc. "The standard includes 12 requirements for any business that stores, processes or transmits payment cardholder data." (source) - So the question you have to ask is do you really want to store, process or transmit cardholder data? Or simply use a payment provider that does this for you? Google Checkout, PayPal, etc.

Regards,

[niallb]

Any idea yet when the full blown version will be available for launch?

[jmelson]

So the question you have to ask is do you really want to store, process or transmit cardholder data? Or simply use a payment provider that does this for you? Google Checkout, PayPal, etc.

Regards,

Well, for instance, using Authorize.net AIM, you don't STORE the CC data, which is good, but you DO "process or transmit" the card number, etc. to the payment processor. If your site is hacked and another php file in inserted, it could send that data to a criminal. I've been trying to get Authorize.net SIM working with osCmax for 2 years now, but have never gotten it to complete the transaction back to osCmax. So, I'm stuck only being partially PCI compliant.

Jon

[michael_s]

You can be fully PCI compliant using AIM method, lets not get misinformation out there. All you have to do is meet the compliance standards. Either method (AIM or SIM) on a properly secured server is fully PCI compliant.

PCI compliance has absolutely nothing to do with being hacked. Your site/server can be fully PCI compliant and still be hacked/compromised. Compliance does not = security. Only security=security.

What jmelson is discussing here is that he does not want to be responsible for PCI compliance at his store level, but wants to pass that responsibility to Authorize.net. By using SIM, you are not becoming PCI compliant, but shifting the compliance responsibility to Authorize.net.

Note that your site can still be hacked and customer data can still be stolen, customer's computers can still be infected with malware, etc. You just bear no liability for cc# data. That is it. You are still responsible for keeping your site/server secure.

[jmelson]

Right! I am at the lowest level of PCI compliance, where I certify that "merchant does not store, process or transmit any cardholder data". This level of compliance only costs me $99 a year. But, this is not actually true, if I use the AIM module.
A higher level of compliance requires outside audits, and costs $500 - 1500 a year, and I'd like to avoid those fees, on a
REALLY small-scale business, namely, just me, selling a few items a month.

But, so far I have had no luck making Authorize.net SIM work. Still trying, though.

Jon

[jmelson]

Well, after a BUNCH more reading at various PCI compliance sites, Authorize.net, etc. I FINALLY found a definition of
"cardholder data" and that it means ANY identifying info for a cardholder! So, name, address and phone number are considered as sensitive as the card # and expiration date! Well, that changes EVERYTHING! Since osCmax and all other stores store that info, I HAVE to increase my PCI compliance level, get audited, etc. What a pain, I had hoped to skip all this junk! And, Authorize.net SIM really solves nothing at all, at least according to the PCI requirements.

So, Michael is completely right!

Jon

[maximilian]

Is it better to pass the responsibility of credit card security to a payment gateway like Authorize.net? We have been throwing the idea around of creating our own bit encryption and storing information on servers, but as we have not really touched payment processing just yet (no sales, still to new ) it would be cool to get some input from those of you that have already walked down this road.