Jochen_hayek-200605_small Jochen Hayek 4 posts

Within the section ‘Discussion’ Cody Fauser writes,
that ‘all other aspects of the PCI DSS are met by the setup’.

Justing referring to ‘the setup’ is a little (pls forgive me) wish-wash.

So does that reliably mean,
that active_merchant itself is ‘PCI DSS’-safe?

 
Mike-120_small Mike Clark Administrator 26 posts

Good question, and I’ll ask the author so we can clarify it in the next revisions. Feel free to file any more errata on the errata page.

Thanks!

 
Jochen_hayek-200605_small Jochen Hayek 4 posts

So, on March, 2nd, this was renumbered recipe 35,
and within ‘Discussion’ the bullet referring to ‘the setup’ just got removed.
Smart approach to getting rid of a problem.
But the question remains—although it might well be,
that it gets answered now somehow anywhere within the recipe text.

Just removing the bullet may solve the issue for somebody,
who reads this recipe w/o knowing its history,
but now, that some doubt arose inside me,
how can I forget it?

 
Mike-120_small Mike Clark Administrator 26 posts

Using ActiveMerchant doesn’t mean you’re automatically PCI DSS compliant. ActiveMerchant by itself doesn’t do anything that would make you not compliant. However, being PCI DSS compliant is a lot more than just the code. It stipulates things like access control, monitoring the server room, auditing, documentation, etc.

 
Generic-user-small Joshua Schai... 1 post

Jochen,

Mike’s correct. There is nothing in Active Merchant that will make you PCI DSS-compliant, but it doesn’t open any gaps that aren’t there anyways. Disclosure time: I work for Braintree, so please check on facts, don’t just take my word for it. :)

In reality, no solution gives you PCI compliance out-of-the-box, and be wary of companies who claim that. We do have a solution that removes almost all of the 230+ PCI DSS controls from the scope of your environment by ensuring that no customer sensitive credit card data touches your environment, reducing your in-scope controls to ~10. Unlike Paypal, Google Checkout, or Amazon FPS, we do this transparent to your users, so they never see our involvement at all.

I don’t want to hijack this thread at all, but if you’re interested in talking further, you can find me on the Braintree Developer Community.

For anyone else, a great resource for PCI DSS compliance is the PCI Answers Blog, run by The Aegenis Group.

5 posts, 3 voices