By Peter Bell

Sharing the PCI Compliance Pain

It looks like Brian Ghidinelli has also been struggling with the practicalities of creating a PCI compliant hosting environment and he's also looking for a vendor to take care of things. With Braintree focused on only larger vendors now, I'm still looking for a solution.

Once commenter on Brians blog seemed to think just by using Authorize.net's CIM product to hold the cc data he didn't have to deal with PCI. Unfortunately it isn't true. If the cardholder data touches your server for even a fraction of a second (i.e. if the form submits to your server), your server is in scope and you're in a world of pain unless you already have the kind of hosting and security setup that we'd all love but that many smaller websites are simply unable to justify.

Has ANYONE found a real solution for this for the companies that would like to do more than just pass the whole branding of the checkout onto Google checkout or Paypal or the simple auth.net processing method where you use their checkout form?

PCI Compliance - What would you pay for peace of mind?

If you "store, process or transmit" credit card information, you need to get PCI compliant. In practice the requirements are way beyond most smaller merchants. I'm considering developing a new service - this post outlines the risks you have as a developer, the proposed solution and is a way of getting feedback on interest/pricing. Please comment below if you might be interested in this, and if you know any other web devs, please ask them to comment as well . . .

[More]

Implementing "Remember Me"/"Forgotten Password" Functionality

How do you implement your "remember me"/"forgotten password" functionality? Here's what we're doing right now . . .

[More]

An OO Roles Based Security Model

I just wanted to throw out an approach I’m using for roles based security for OO applications to see if anyone had any thoughts or better ideas . . .

[More]

What IS Authentication? Are Users the Only thing we should Authenticate?

Authentication is the process of establishing identity. In the context of web based systems, authentication is typically based on one or more tokens (usually two or more) such as a username and password.

A more interesting question is WHAT can be authenticated? I know I can authenticate a site visitor as a user, but what about authenticating them against a company, an order or an article? . . .

[More]

BlogCFC was created by Raymond Camden. This blog is running version 5.005.