Submit Your Article Forum Rules

Results 1 to 7 of 7

Thread: My client's cart is now non-compliant?

  1. #1
    Junior Member rizzoid's Avatar
    Join Date
    Jul 2005
    Posts
    21

    My client's cart is now non-compliant?

    As a web developer, this has me very concerned. A couple of years back we made a cart for a board game company using Joomla and Virtuemart. My client's bank is now stating that the cart system is non-compliant because the credit cards are entered on the site. Even though we're using SSL, a private IP address and the money exchange is done on Authorize.net; they claim this is not good enough. Has anyone has a similar complaint about a cart they put together for a client? Her bank has threatened to shut it down if it doesn't pass the next Trustwave PCI assessment. This cart setup is used on MANY sites.

    Thanks in advance!

    -r
    Sitecats Web Development, Doylestown, PA Hidden Content
    Easy to edit Joomla websites - New Sites - Conversions - 215-345-9050

  2. #2
    Senior Member
    Join Date
    Nov 2003
    Posts
    130
    Many banks and processors are taking the easy route and doing exactly what you are describing. The shopping cart must qualify for PCI SAQ-A, meaning that the card information must be sent directly to a PCI certified third party processor/gateway and the shopping cart server cannot ever come in contact with real cc data, or the shopping cart must be on the PCI certified compliant list. The latter still being difficult as you must still jump through some hoops proving your hosting provider is PCI compliant.

    If you're using a commercial or open source shopping carts, many have payment modules that qualify for PCI SAQ-A. If you're home grown, see if your gateway offers an API for this capability; if not, find a new gateway that does. The key is PCI SAQ-A (https://www.pcisecuritystandards.org...cument=2.0#2.0) I hope this helps.
    Last edited by Shift4SMS; 02-13-2012 at 06:18 PM.
    --Steve (Hidden Content )
    Hidden Content -- Secure payment processing

  3. The following user agrees with Shift4SMS:
  4. #3
    Junior Member rizzoid's Avatar
    Join Date
    Jul 2005
    Posts
    21
    Thanks a bundle Steve. For those interested, I'm told installing a SIM method module as opposed to the regular AIM method might insure compliance. Still researching to make sure.
    Sitecats Web Development, Doylestown, PA Hidden Content
    Easy to edit Joomla websites - New Sites - Conversions - 215-345-9050

  5. #4
    Senior Member
    Join Date
    Nov 2003
    Posts
    130
    I don't think SIM by itself insures compliance, but it appears there might be options that allow for the SAQ-A level of support I am talking about. I think their Direct Post Method (DPM) can be used with SIM -- but they are a competitor of ours and I try not to know too much about competitor API's so I'm not 100% certain. Maybe some authorize.net guru can chime in?...

  6. #5
    Moderator SteveGerencser's Avatar
    Join Date
    Jan 2005
    Location
    Small town Tennessee
    Posts
    2,207
    Wait till they tell you that you have to enable SSL ftp to be compliant. The PCI rules are out of control.
    You can't create artful marketing with color by number seo

  7. #6
    Junior Member rizzoid's Avatar
    Join Date
    Jul 2005
    Posts
    21
    I have SSL enabled, and I'm willing to go the SIM or DPM route. I have a dedicated server with very stout firewall. However I've seen conflicting information on several forums now saying even this is not enough. I'm going to advise all my customers to drop SSL and go with Paypal or Google Wallet. Authorize.net, Trustwave and GoDaddy are going to lose out big time. I'm sure I'm like tens of thousands caught in this PCI scam business.
    Sitecats Web Development, Doylestown, PA Hidden Content
    Easy to edit Joomla websites - New Sites - Conversions - 215-345-9050

  8. #7
    Senior Member
    Join Date
    Nov 2003
    Posts
    130
    Quote Originally Posted by rizzoid View Post
    ...I'm going to advise all my customers to drop SSL and go with Paypal or Google Wallet...
    That is a route but a little extreme. Besides, most will still need SSL for non-payment related handling of personal information. I know I don't fill out forms requesting my personal information that are not via SSL; I'm sure in this day and time that there is a significant percentage of security aware shoppers with the same thought.

    There are several gateways other than PayPal and Google Wallet that offer solutions that qualify for PCI SAQ-A, and many of these solutions are not as nearly restrictive.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •