forwardgear
02-25-2009, 05:47 PM
Hi everyone,
This is my first post. I've been reading up on the PCI DSS in regards to a new online store and found this forum by way of the pcianswers.com blog.
I've read numerous online posts and articles tonight, including several posts on this forum. I'm sure I have typical questions and I'm simply trying to wade through this apparent mess of PCI "compliance". I suppose what my decision boils down to is do I need to hire PCI DSS compliant hosting for my online store, and, if accompanied by a PCI DSS compliant gateway, will my store be PCI DSS compliant as well?
Two posts on this forum were of particular interest:
One from cmark on January 23, 2009 which suggested readers look at Mercantec, ProPay, etc in regards to "alternative solutions". http://forum.paymentsecuritypros.com/showthread.php?t=641&page=2
One from alphonze Today regarding a topic started by art (Today) where the discussion orbited around using an iFrame or GET-POST process to remove any data processing across the store hosting environment (only processed across the gateway environment). http://forum.paymentsecuritypros.com/showthread.php?t=700
After trying to educate myself as to what all this PCI stuff means, I was left wondering:
1 - Is there any reason I would want to or need to store PCI DSS relevant data on "my" system?
2 - Is sensitive data still at some point (even temporarily) stored on "my" system, even if using a gateway, etc?
3 - Is there any way to prevent that and not throttle the functionality of the store and/or the business?
It seems that the answer to 1 could be yes in regards to returns/backorders, but it also seems that some service providers (gateways?) allow return credits and backorder billing without retention of PCI DSS relevant data. Can someone give me an overview/recommended providers of this kind of functonality?
On to question 2. If I no longer need to store PCI DSS relevant data for long periods of time for the purposes of returns and/or backorders, then is there still the threat of that data being on "my" system at some point (in a cookie, a session, RAM, etc)? It seems as though the response to that is most likely yes, that even if PCI DSS relevant data is not moved into a long-term storage place (database) at any point, it may still reside on "my" system at some point, even if only in energized memory, thus "my" system is subject to PCI compliance. True?
In regards to question 3, there was the suggestion (as per the cmark post referenced above) that the probable trend in PCI DSS compliance was an option such as that offered by Mercantec. However, I cannot see how that is any different in regards to PCI DSS compliance when compared to the logic used in the post from alphonze, which essentially says (and I agree) that even though the form is hosted by/references a PCI DSS compliance resource, the site it is embedded into could still be hacked and the embedded code changed such that the assumed PCI DSS compliant mechanism is bypassed altogether. Therefore, the site using the embedded code must still comply with PCI DSS standards.
If I hire PCI DSS compliant hosting, am I free to save (long-term) PCI DSS relevant data? If not held long-term (the reasons for doing so are discovered to be faulted), am I free of risk regarding the temporary storage of PCI DSS relevant data (in memory)?
Overall, this seems like a huge concept to adequately understand, leading to potentially prohibitive burdens to overcome, especially for smaller merchants.
Right now, I'm quite overwhelmed...
Chris
This is my first post. I've been reading up on the PCI DSS in regards to a new online store and found this forum by way of the pcianswers.com blog.
I've read numerous online posts and articles tonight, including several posts on this forum. I'm sure I have typical questions and I'm simply trying to wade through this apparent mess of PCI "compliance". I suppose what my decision boils down to is do I need to hire PCI DSS compliant hosting for my online store, and, if accompanied by a PCI DSS compliant gateway, will my store be PCI DSS compliant as well?
Two posts on this forum were of particular interest:
One from cmark on January 23, 2009 which suggested readers look at Mercantec, ProPay, etc in regards to "alternative solutions". http://forum.paymentsecuritypros.com/showthread.php?t=641&page=2
One from alphonze Today regarding a topic started by art (Today) where the discussion orbited around using an iFrame or GET-POST process to remove any data processing across the store hosting environment (only processed across the gateway environment). http://forum.paymentsecuritypros.com/showthread.php?t=700
After trying to educate myself as to what all this PCI stuff means, I was left wondering:
1 - Is there any reason I would want to or need to store PCI DSS relevant data on "my" system?
2 - Is sensitive data still at some point (even temporarily) stored on "my" system, even if using a gateway, etc?
3 - Is there any way to prevent that and not throttle the functionality of the store and/or the business?
It seems that the answer to 1 could be yes in regards to returns/backorders, but it also seems that some service providers (gateways?) allow return credits and backorder billing without retention of PCI DSS relevant data. Can someone give me an overview/recommended providers of this kind of functonality?
On to question 2. If I no longer need to store PCI DSS relevant data for long periods of time for the purposes of returns and/or backorders, then is there still the threat of that data being on "my" system at some point (in a cookie, a session, RAM, etc)? It seems as though the response to that is most likely yes, that even if PCI DSS relevant data is not moved into a long-term storage place (database) at any point, it may still reside on "my" system at some point, even if only in energized memory, thus "my" system is subject to PCI compliance. True?
In regards to question 3, there was the suggestion (as per the cmark post referenced above) that the probable trend in PCI DSS compliance was an option such as that offered by Mercantec. However, I cannot see how that is any different in regards to PCI DSS compliance when compared to the logic used in the post from alphonze, which essentially says (and I agree) that even though the form is hosted by/references a PCI DSS compliance resource, the site it is embedded into could still be hacked and the embedded code changed such that the assumed PCI DSS compliant mechanism is bypassed altogether. Therefore, the site using the embedded code must still comply with PCI DSS standards.
If I hire PCI DSS compliant hosting, am I free to save (long-term) PCI DSS relevant data? If not held long-term (the reasons for doing so are discovered to be faulted), am I free of risk regarding the temporary storage of PCI DSS relevant data (in memory)?
Overall, this seems like a huge concept to adequately understand, leading to potentially prohibitive burdens to overcome, especially for smaller merchants.
Right now, I'm quite overwhelmed...
Chris