PCI Compliance

[bosn]

How is WHMCS helping the merchant meet PCI compliance?

 

https://www.pcisecuritystandards.org/

 

Can I use this without storing any credit card data? if so how?

 

As much as I and everyone else hates the thought of passing their customer off to a off site payment application to enter their credit number, this is really the only option for small businesses as once you start storing card details, your server needs to meet the PCI requirements.

[Pima]

This is JMO but there is a "scare tatic" being perpetrated upon the community as a whole...

 

Many will have you believe that if there is any CC data passed through you that you must be fully PCI compliant. I supply this from a hacker safe site and the emphasis is mine:

This site is tested and certified daily to pass the HACKER SAFE Security Scan. To help address concerns about hacker access to confidential data, the "live" HACKER SAFE mark appears only when a web site meets the HACKER SAFE standard.

Research indicates sites remotely scanned for known vulnerabilities on a daily basis, such as those earning HACKER SAFE certification, can prevent over 99% of hacker crime.

We have pondered over this at naussuem.... If you actually read from the link you provided - What must be done for TRANSMISSION of this sensitive data the only criteria is that you must use SSL encryption if you transmit this data and almost all else is designed to control how you STORE and control ACCESS to data if and only if you STORE the data.

 

If you do not store the data how can this apply to you?

 

It has been our opinion that as long as you use a gateway processor and most/all require that you have SSL that you have complied even if your complete site is NOT PCI compliant(As it does not have to be).

 

One should NOT have to be compliant if THEY DO NOT STORE any cc data.

 

My 2 cents - but we are watching what will transpire on this subject

[handsonwebhosting]

PCI Compliance is something that was created by the Payment Card Industry (thus the name). There are a number of places that offer PCI Compliance testing for FREE (hackersafe is one of them). There are OTHER tests that are run by these companies are not necessarily PCI stuff - but more security things on servers such as versions of softwares etc.

 

You can take a self assessment through VISA and MasterCard of the PCI and be in full compliance (depending on your sales volume).

 

Do HackerSafe, HackerGuardian and ControlScan site seals work? That's really a judgement call. Personally on our own site, I haven't seen a huge increase in sales, and we've been with HackerSafe for nearly 4 years. But I have some clients hosting with us that swear by them and they are a great visual aid to potential customers.

 

PCI Compliance is not just about storing credit card data, but dealing with credit card information as a whole. If you accept cards online are you using SSL? If you store card information offline do you have it under a lock and key? All these sorts of things - it's very simliar to the Gramm-Leach-Bailey Act which RealEstate and Mortgage Brokers deal with on a regular basis.

[meeven]

I just asked customer support this question about how/where WHMCS handles its cc data, especially if I want recurring payments. They said the data is stored in an encrypted form in the database.

 

Does this mean that I have to undergo PCI compliance even though I may be using a third party for the actual processing? This is what is unclear to me.

 

Could someone help explain?

[Matt]

A useful resource with a simple overview on this is: http://en.wikipedia.org/wiki/PCI_DSS

 

There are 12 requirements for compliance, #3 is something we do by storing data encrypted and not storing the CVV number, #4 is something you do by using SSL and again with the encryption of data in the database and #7/8 are the admin logins to your WHMCS. The rest are all related to the server/network security side of things and that's something you need to do - in securing your server, monitoring activity, vetting your staff, policies, etc...

 

If you are using any merchant gateway, that is where you store credit card details for users locally inside your WHMCS, then you should be meeting PCI compliance rules. If you use a third party gateway like PayPal, 2Checkout, WorldPay, etc... then you would not need to be PCI Compliant.

 

Matt