recipe 33 "Process Recurring Credit Card Payments" vs. PCI DSS

Within the section ‘Discussion’ Cody Fauser writes,
that ‘all other aspects of the PCI DSS are met by the setup’.

Justing referring to ‘the setup’ is a little (pls forgive me) wish-wash.

So does that reliably mean,
that active_merchant itself is ‘PCI DSS’-safe?

Good question, and I’ll ask the author so we can clarify it in the next revisions. Feel free to file any more errata on the errata page.

Thanks!

So, on March, 2nd, this was renumbered recipe 35,
and within ‘Discussion’ the bullet referring to ‘the setup’ just got removed.
Smart approach to getting rid of a problem.
But the question remains—although it might well be,
that it gets answered now somehow anywhere within the recipe text.

Just removing the bullet may solve the issue for somebody,
who reads this recipe w/o knowing its history,
but now, that some doubt arose inside me,
how can I forget it?

Using ActiveMerchant doesn’t mean you’re automatically PCI DSS compliant. ActiveMerchant by itself doesn’t do anything that would make you not compliant. However, being PCI DSS compliant is a lot more than just the code. It stipulates things like access control, monitoring the server room, auditing, documentation, etc.

Jochen,

Mike’s correct. There is nothing in Active Merchant that will make you PCI DSS-compliant, but it doesn’t open any gaps that aren’t there anyways. Disclosure time: I work for Braintree href=”http://www.braintreepaymentsolutions”>http://www.braintreepaymentsolutions, so please check on facts, don’t just take my word for it. :)

In reality, no solution gives you PCI compliance out-of-the-box, and be wary of companies who claim that. We do have a solution that removes almost all of the 230+ PCI DSS controls from the scope of your environment by ensuring that no customer sensitive credit card data touches your environment, reducing your in-scope controls to ~10. Unlike Paypal, Google Checkout, or Amazon FPS, we do this transparent to your users, so they never see our involvement at all.

I don’t want to hijack this thread at all, but if you’re interested in talking further, you can find me on the Braintree Developer Community href=”http://developer.getbraintree.com”>http://developer.getbraintree.com.

For anyone else, a great resource for PCI DSS compliance is the PCI Answers Blog href=”http://www.pcianswers.com”>http://www.pcianswers.com, run by The Aegenis Group.