PCI Compliance Module - Almost done, what do you think?

[ipgeek-lg]

Hi all,

 

Over the last (insert abstract length of time here) I have been writing a module for WHMCS that aims to make the system meet PCI compliance. What is PCI compliance? If you are a merchant of any size accepting credit cards, you must be in compliance with PCI Security Council standards. This includes storing card details and personal information for the person those card details belong to.

 

PCI Website: https://www.pcisecuritystandards.org/

WIKI Explanation: http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

 

The key points that WHMCS does not meet:

 

Requirement 4: Encrypt transmission of cardholder data across open, public networks (email or http traffic)

- When creating a new account WHMCS emails the customer the password and stores it unencrypted in the database.

- When resetting a password WHMCS emails the customer with the new password, user is not forced to change password when they log in. The email is also stored unencrypted in the database.

 

One key issue is that prior to WHMCS v5.1.2 modules have not been able to make the pages they serve go over SSL. Resulting in any password reset facility where the user can set a new password via the browser considered useless. Now that is fixed we are sorted!

 

So this post is basically to let the community know its done at last (thank you for the help of laszlof).

 

Another motive for this post is basically to ask how much is compliance actually worth to people. I will be charging a monthly fee for the use of this mod with a view to continual development and accepting of feature requests.

 

How much is this worth to people running WHMCS based businesses?

[Keiro]

Hi all,

 

Over the last (insert abstract length of time here) I have been writing a module for WHMCS that aims to make the system meet PCI compliance. What is PCI compliance? If you are a merchant of any size accepting credit cards, you must be in compliance with PCI Security Council standards. This includes storing card details and personal information for the person those card details belong to.

 

PCI Website: https://www.pcisecuritystandards.org/

WIKI Explanation: http://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

 

The key points that WHMCS does not meet:

 

Requirement 4: Encrypt transmission of cardholder data across open, public networks (email or http traffic)

- When creating a new account WHMCS emails the customer the password and stores it unencrypted in the database.

- When resetting a password WHMCS emails the customer with the new password, user is not forced to change password when they log in. The email is also stored unencrypted in the database.

 

One key issue is that prior to WHMCS v5.1.2 modules have not been able to make the pages they serve go over SSL. Resulting in any password reset facility where the user can set a new password via the browser considered useless. Now that is fixed we are sorted!

 

So this post is basically to let the community know its done at last (thank you for the help of laszlof).

 

Another motive for this post is basically to ask how much is compliance actually worth to people. I will be charging a monthly fee for the use of this mod with a view to continual development and accepting of feature requests.

 

How much is this worth to people running WHMCS based businesses?

 

... Quite a bit. I actually had a client complain about this last night. >_> Out of all the clients that we have, this was the first to have complained.

 

... And I expect him to not be the first as more clients join us. We need to change this. I'd like to reduce as much risk as possible. Something like this? It's very valuable, indeed...

[hyperwebbers]

have you finished the job?