On 09/04/14 16:27, Paul Robert Marino wrote:
> No it was always required because the shopping cart itself may in some
> cases contain data which could possibly be used to gain access to
> sensitive customer data. Also in a sense data about who purchases what
> and where could also be used to mask credit card fraud by making the
> fraudulent charges look like the normal shopping activities of the
> card holder.
Really!? I've been involved in a few PCI-DSS certification rounds for a
company which provided online payment services back in the days.
Granted that's some years ago now (2005 to 2008-ish). Even though our
scope was limited to only processing credit card information, we did not
see any requirements anywhere at that time for the shopping cart to be
PCI-DSS certified.
In fact one of our sales arguments at that time was that our customers
could avoid certifications by implementing our online payment
"terminal". We even had some discussions with our auditor about this,
who gave his blessings to our product. The solution we provided in this
case would take care of retrieving the credit card information from the
customer, process the payment and just provide a status back to the
merchant. Merchants using a payment API for processing payments would
in some cases need certification, based on the amount of transactions
they had; this I believe has become much stricter since those days.
And just to have mentioned it, the solutions we provided was based upon
Gentoo(!) servers. We even got very positive feedback for having
absolutely minimum installs on our production servers, plus kudos for
our maintenance routines.
Of course, many of the requirements have most likely changed since then.
But I don't recognise the "always required" in regards to shopping carts.
--
kind regards,
David Sommerseth
>
> On Wed, Apr 9, 2014 at 8:13 AM, James M. Pulver <[log in to unmask]> wrote:
>> We were recently informed PCI compliance also extends to the shopping cart
>> software, this may be new this year...
>>
>>
>>
>> --
>>
>> James Pulver
>>
>> CLASSE Computer Group
>>
>> Cornell University
>>
>>
>>
>> From: [log in to unmask]
>> [mailto:[log in to unmask]] On Behalf Of Paul
>> Robert Marino
>> Sent: Tuesday, April 08, 2014 11:26 PM
>> To: Nico Kadel-Garcia; ToddAndMargo
>> Cc: Scientific Linux Users
>> Subject: Re: Any 7 rumors?
>>
>>
>>
>> Well frankly if you need PCI-DSS compliance pay for RHEL. Its honestly not
>> that expensive for the few systems that really require it. Only the
>> system's that handle credit cards supposedly require it and in most
>> ecommerce companies that's probably 2 to 4 system's so what's the problem
>> wit paying $750 a year each for those few systems to not have to deal with
>> the problems and giving the stock investors a warm and fuzzy feeling. Your
>> time spent on it costs them more money and ti reduces all the stress on
>> every one if you buy compliance on the cheap.
>>
>>
>> -- Sent from my HP Pre3
>>
>>
>>
>> ________________________________
>>
>> On Apr 8, 2014 22:55, Nico Kadel-Garcia <[log in to unmask]> wrote:
>>
>> On Tue, Apr 8, 2014 at 10:14 PM, ToddAndMargo <[log in to unmask]> wrote:
>>> Hi All,
>>>
>>> I have a customer who is going to have to upgrade a
>>> whole pail of stuff for PCI compliance (credit card
>>> security).
>>>
>>> Part of what he is going to have upgrade is his old
>>> CentOS 5.x server (it is too underpowered to handle
>>> his new software along with the addition drag
>>> caused by adding File Integrity Monitoring
>>> [FIM] Software).
>>>
>>> Any rumors as to when EL 7 will be out?
>>>
>>> Many thanks,
>>> -T
>>
>> Shortly after our favorite upstream vendor publishes it? I don't see
>> the relevance though. If he needs to update CentOS 5, update it to SL
>> 6 or CentOS 6. Why wait for RHE 7 to update? It's going to be major
>> cluster futz with the the switch tu systemd from init scripts, with
>> "/bin" being migrated to "/usr/bin", and the other major changes. It
>> will be much simpler, and much, much safer, to update to CentOS 6 or
>> SL 6 first!
|
