By Peter Bell

Sharing the PCI Compliance Pain

Posted At : October 8, 2008 5:20 AM | Posted By : Peter Bell
Related Categories: Security
It looks like Brian Ghidinelli has also been struggling with the practicalities of creating a PCI compliant hosting environment and he's also looking for a vendor to take care of things. With Braintree focused on only larger vendors now, I'm still looking for a solution.

Once commenter on Brians blog seemed to think just by using Authorize.net's CIM product to hold the cc data he didn't have to deal with PCI. Unfortunately it isn't true. If the cardholder data touches your server for even a fraction of a second (i.e. if the form submits to your server), your server is in scope and you're in a world of pain unless you already have the kind of hosting and security setup that we'd all love but that many smaller websites are simply unable to justify.

Has ANYONE found a real solution for this for the companies that would like to do more than just pass the whole branding of the checkout onto Google checkout or Paypal or the simple auth.net processing method where you use their checkout form?

Comments (6) | Print | del.icio.us | Linking Blogs
Comments
[Add Comment]
I use Billing Orchard (http://www.billingorchard.com/default.cfm?pid=a2de... for a couple projects. It hooks into Authorize.net and even recurring billing. There is an easy API and also something called Checkout Pages which are easy to use and move the credit card capture off your site. There is a call-back on the Checkout Pages that works pretty slick, too.

They use ColdFusion, too!
# Posted By liquidnw | 10/8/08 11:59 AM
Maybe I'm missing something. this appears to be a billing app for billing clients rather than something you'd use for a checkout of (say) an e-commerce store. No?
# Posted By Peter Bell | 10/8/08 12:11 PM
Yes, it is a billing app but there are also e-commerce features, and that's what I use. They don't seem to talk that up on their site much, though, huh? They also have new feature called "Checkout pages". They have a link to an example page, but not much more description. They have a free trial which might show you the Checkout page interface.

Main site (see "Checkout Page" example):
- http://www.billingorchard.com/default.cfm?pid=a2de...

API
- https://www.billingorchard.com/api/clientAPI_trans...
# Posted By liquidnw | 10/8/08 1:25 PM
I have found around 5, and am evaluating 8 managed hosts who do PCI compliance. Will be blogging shortly. But yes, the PCI Spec is explicit, as it covers: transmitting, storing and processing. So like Peter says, even for a second, if you do pass off CC data to a third-party you must still be compliant.
# Posted By Sami Hoda | 10/8/08 11:41 PM
I gave the PCI-DSS presentation back at the last cfObjective. My company FusionLink is providing PCI level hosting services. You can email me at mason \at\ fusionlink.com for more information.
# Posted By John Mason | 10/13/08 1:58 PM
I've been dealing with this PCI stuff as well and trying to find some better options for my customers as well. I agree with the comments on the earlier blog article about it being really hard to get them to understand the issue. Just trying to get across to them that even if my software is secure and encrypting the card data, this does NOT mean they are PCI compliant....most don't even know what that means and don't seem to think they really need to worry about. It's a frustrating situation for those of us that do web development and we really need to be protecting ourselves legally as well, as when lawsuits happen, people start looking for where they can pass the blame.
# Posted By Mary Jo | 10/13/08 2:17 PM
[Add Comment]
BlogCFC was created by Raymond Camden. This blog is running version 5.005.