Page is a not externally linkable
SteffanKlein - 8:31 am on Aug 22, 2009 (gmt 0)
Keep in mind that quite a number of very popular open source solutions actually use the API integration with payment gateways - making PCI compliance a requirement for their users. In regards to $600 PCI compliance - no one can provide PCI compliance for $600. This is why: PCI defines a number of regulations and procedures you have to comply with.
HI AffiliateDreamer,
PCI is a real fun topic - as the regulations are so wide open and everyone seems to interpret the rules in a different way - even without reading them and based on what others are writing - who usually haven't read the rules either.
PCI applies to anyone who accepts credit cards - not just online. But for online your systems and your custom written software will have to comply with PCI regulations - even if you only transmit credit card details and don't store them. If you don't deal with credit card details on your server, you don't have to worry.
So for example if you create your own shopping cart solution and you want to integrate with Payment gateways using an API which you run on the server hosting your shopping cart server, then systems and companies using your solution will have to be PCI compliant.
There are number of references in regards to programming code in the PCI regulations - mainly to do with verification of input and some basic training of programmers - so it would be worthwhile for you to review them (It's not as scary as you may think).
These require you to not only set up your firewalls, servers and databases in a certain way - they also define how you connect to your servers, who has what kind of access, how you deal with passwords, what kind of intrusion control and logging processes you use, how long you store logs, how access to the data enter you host in is secured, how you encrypt credit card details (if you store them) and many other procedures which you have to implement.
The $600 option can only deal with the server side setup - and in most cases they will not even set up intrusion control and PCI compliant logging - they simply make sure the server passes an external PCI scanning test. The onus of complying with many procedures is on you.
Most people who store or transfer credit cards believe they are okay, if they sign up with a company scanning their server for PCI compliance. This however is only one small part of PCI compliance.
PCI compliance is a huge pain in the proverbial - and unfortunately it is made a lot more difficult by people who don't read the rules or who choose to interpret the rules in certain ways rather than the way they are written down (usually so they can charge you more for becoming compliant).
A whole industry has developed around this, from special intrusion detection software to logging software and companies verifying your compliance.
Software for PCI compliance can quickly add up to more than $20,000 in yearly license fees, depending on the number of servers your system uses. Prices are absolutely horrendous. Although this isn't required at all. There are a number of open source solutions you can use to meet compliance, such as Ossec and Snort (but you need to know how to set them up and you have to use multiple servers). You can also host servers on Amazon EC2 cloud, so long as you don't require Level 1 PCI compliancy (more than 6 million transactions per year).
Really your best option is to go to the PCI website https://www.pcisecuritystandards.org/ and download the questionnaire applicable to you and you customers. Just read it - that will give you the clearest understanding of what you are getting yourself into.
:)