[ic] PCI / PA-DSS
jon at endpoint.com
Sat Jul 24 18:50:09 UTC 2010
On Fri, 23 Jul 2010, Nick wrote:
> If I am understanding the requirements correctly, it seems as though it
> is not good enough to simply have your site scanned for vulnerabilities,
> ensure you use good passwords, etc, but if your site accepts credit
> cards, such as through a payment gateway like authorize.net, your
> e-commerce application needs to be PA-DSS approved.
> The requirements might not be too difficult to meet, but of course
> getting it approved requires many thousands of dollars of fees. It seems
> to me as though no open-source e-commerce application is likely to be
> able to afford to have the application certified, so I'm hoping that I
> am just reading the requirements incorrectly and that Interchange is OK,
> but does anyone with more knowledge about this have any insight?
Nick, I don't know what will happen. I've read the requirements, and I
don't see how they can possibly be met by any ecommerce application that
allows any customization whatsoever.
If I have a custom in-house ecommerce app, and get it certified, is it
invalid the next day when I fix a bug or add a new feature?
If I use a "toolkit"-style framework like WebSphere or ATG or whatever,
even if the toolkit is certified, what about my thousands of lines of
Open source will obviously be a problem for PA-DSS, but only as a subset
of the bigger realm of *all custom software* which is par for the course
I suspect, like the earlier PCI requirements, there will be several years
of phase-in, compromise, deadline slips, etc. during which we'll find out
how this will actually play out.
End Point Corporation
More information about the interchange-users