[ic] PCI / PA-DSS
Nick
nick_ic at selltothem.com
Fri Jul 23 15:41:39 UTC 2010
I know there was a recent discussion about PCI compliance that focused
on vulnerability scanning, but I have been looking into the issue more
and am wondering what everyone's thoughts are on the PA-DSS component
(Payment Application Data Security Standard):
https://www.pcisecuritystandards.org/security_standards/pci_pa_dss.shtml
If I am understanding the requirements correctly, it seems as though it
is not good enough to simply have your site scanned for vulnerabilities,
ensure you use good passwords, etc, but if your site accepts credit
cards, such as through a payment gateway like authorize.net, your
e-commerce application needs to be PA-DSS approved.
The requirements might not be too difficult to meet, but of course
getting it approved requires many thousands of dollars of fees. It seems
to me as though no open-source e-commerce application is likely to be
able to afford to have the application certified, so I'm hoping that I
am just reading the requirements incorrectly and that Interchange is OK,
but does anyone with more knowledge about this have any insight? Thanks,
Nick
More information about the interchange-users
mailing list