PCI Certification



  • I just recieved an e-mail from someone that I wrote a custom e-commerce application for.

    Apparently, their bank is requiring that the site undergo a PCI audit or they will no longer accept deposits from the merchant provider.

     PCI Certification strikes me as a big scam, allowing consultants to charge huge amounts of money to keep sites open. Especially considering that all CC processing in this site is handed off to Authorize.NET who is already PCI Compliant.

     Has anyone had any direct experience with getting something PCI certified? It looks like I can fill out a Self Evaluation Form and a few other docs and be set.



  • FYI: This isn't a Side Bar WTF, so it should've gone in General Discussion.



  • @AbbydonKrafts said:

    FYI: This isn't a Side Bar WTF, so it should've gone in General Discussion.
     

    And therefore...



  • PCI Certification is a WTF of its own :)

    Nobody reads the other forums. 



  • @Jonathan Holland said:

    PCI Certification is a WTF of its own :)

    Nobody reads the other forums. 

     

    Your reality and mine do not seem to match.

    General Discussion
    Why the heck not?
    							        </td>
    							        <td class="CommonListCell ForumGroupLastPostColumn">
    							            
            					                    <b><a href="http://forums.thedailywtf.com/forums/p/7984/150342.aspx#150342" title="Re: Mandatory Fun Day">Re: Mandatory Fun...</a></b>
                                                    <div>by <a href="http://forums.thedailywtf.com/user/Profile.aspx?UserID=1252">ammoQ</a></div>
                                                    <div>02-21-2008 1:50 PM</div>
                                                
                                            &nbsp;
    							        </td>
    							        <td class="CommonListCell ForumGroupTotalThreadsColumn" align="center">749</td>
    							        <td class="CommonListCell ForumGroupTotalPostsColumn" align="center">9,685</td></tr></tbody></table><p>&nbsp;</p>


  • @Jonathan Holland said:

    Apparently, their bank is requiring that the site undergo a PCI audit or they will no longer accept deposits from the merchant provider.

     

    It doesn't stop there to be sure some agency is requiring the bank to require ...  

    That agency is requiring that requirment because it is required to ...

    If you trace it back far enough the history of this almost certainly involves a poodle.



  • @Jonathan Holland said:

     PCI Certification strikes me as a big scam, allowing consultants to charge huge amounts of money to keep sites open. Especially considering that all CC processing in this site is handed off to Authorize.NET who is already PCI Compliant.
     

    Some of it's pure marketing drivel, and protecting the asses of the big CC companies (ie Visa/Amex/MC). "If you'd followed PCI, you wouldn't be the cause of X zillions of stolen CC numbers".

    Don't forget that the whole CC system is a chain of trust. Auth.net might be PCI certified, but if your app violates PCI and stores the full CC details (and especially if it stores the CVV2 number), then it doesn't matter how certified auth.net is, your application is going to get torpedoed before the certification consultant even gets in the front door.

    @Jonathan Holland said:

    It looks like I can fill out a Self Evaluation Form and a few other docs and be set.

    Depends on how far you want to take it. You can do the self-eval and claim you're compliant, but watch out if it turns out you lied on some minor point. Or you can go for full code audits and whatnot.



  • @MarcB said:

    @Jonathan Holland said:

     PCI Certification strikes me as a big scam, allowing consultants to charge huge amounts of money to keep sites open. Especially considering that all CC processing in this site is handed off to Authorize.NET who is already PCI Compliant.
     

    Some of it's pure marketing drivel, and protecting the asses of the big CC companies (ie Visa/Amex/MC). "If you'd followed PCI, you wouldn't be the cause of X zillions of stolen CC numbers".

    Don't forget that the whole CC system is a chain of trust. Auth.net might be PCI certified, but if your app violates PCI and stores the full CC details (and especially if it stores the CVV2 number), then it doesn't matter how certified auth.net is, your application is going to get torpedoed before the certification consultant even gets in the front door.

    @Jonathan Holland said:

    It looks like I can fill out a Self Evaluation Form and a few other docs and be set.

    Depends on how far you want to take it. You can do the self-eval and claim you're compliant, but watch out if it turns out you lied on some minor point. Or you can go for full code audits and whatnot.

     

    The only thing stored in our database is the last 4 digits of the CC number.  I think this will be easy to pass, but there is no way we are footing the bill for some consultant to dig through our code.



  • @Jonathan Holland said:

    Nobody reads the other forums. 

     

    Doesn't justify your posting elsewhere, however. Show a little courtesy. After all, you're a guest here. 



  • @KenW said:

    @Jonathan Holland said:

    Nobody reads the other forums. 

     

    Doesn't justify your posting elsewhere, however. Show a little courtesy. After all, you're a guest here. 

     

    Oh noes! Be careful, otterdam might make a greasemonkey script to ignore you!

    Oh wait, that's a good thing... Nevermind. Carry on.


Log in to reply