[ic] PCI compliance

[Jonathan Clark]

2008/11/5 Dave Brooks <Dave at brooksnet.com>

>  Hello,
>
> We have used Interchange on our site, brooksnet.com, for several years
> now. We're relatively small merchants but we are now needing to determine
> our PCI compliance.
>
> I was wondering what your payment application DSS compliance was, what we
> would have to do to configure Interchange to be PCI compliant, etc.
>
> Any advice would be appreciated!
>


IC (as I am sure you will realise) represents a small part of your quest for
compliance.

Assuming you have IC handling the credit cards, most of your work will
concern the integrity of your server/hosting environment and the ability to
track any changes to the systems. You also need documented procedures in
place for your tech staff.

Out of the box, Interchange encrypts card details before storing them,
provides no means of decrypting on the server, and never stores cards in the
clear, even in debug logs. So, looking purely at Interchange, it ticks the
appropriate boxes. The only thing I would consider changing is the storage
of the orders including the cypher block. PCI-DSS works very much along the
lines of 'if you don't need it, don't store it'.

First step should be to work through the self-assessment questionnaire and
highlight your gaps in compliance. If you buy in your hosting, your provider
should be compliant also.

The view in the UK is that if you are hosting an ecom website, you need to
be level-one compliant. This is driving some providers to push people in the
direction of using payment pages instead of an integrated PSP.

Have fun!

Jonathan


-- 
Jonathan Clark, Managing Director
Setfire Media, Cartridge SAVE, Axiar Payment Solutions
0844 576 5515 / jonathan.clark at setfiremedia.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.icdevgroup.org/pipermail/interchange-users/attachments/20081106/2f24bcd7/attachment.htm