Pragmatic Forums | recipe 33 "Process Recurring Credit Card Payments" vs. PCI DSS

Feb 27, 2008 11:37am

Jochen Hayek 4 posts

Within the section ‘Discussion’ Cody Fauser writes,
that ‘all other aspects of the PCI DSS are met by the setup’.

Justing referring to ‘the setup’ is a little (pls forgive me) wish-wash.

So does that reliably mean,
that active_merchant itself is ‘PCI DSS’-safe?

Feb 27, 2008 7:07pm

Mike Clark Administrator 26 posts

Good question, and I’ll ask the author so we can clarify it in the next revisions. Feel free to file any more errata on the errata page.

Thanks!

Mar 3, 2008 1:33am

Jochen Hayek 4 posts

So, on March, 2nd, this was renumbered recipe 35,
and within ‘Discussion’ the bullet referring to ‘the setup’ just got removed.
Smart approach to getting rid of a problem.
But the question remains—although it might well be,
that it gets answered now somehow anywhere within the recipe text.

Just removing the bullet may solve the issue for somebody,
who reads this recipe w/o knowing its history,
but now, that some doubt arose inside me,
how can I forget it?

Mar 3, 2008 2:47pm

Mike Clark Administrator 26 posts

Using ActiveMerchant doesn’t mean you’re automatically PCI DSS compliant. ActiveMerchant by itself doesn’t do anything that would make you not compliant. However, being PCI DSS compliant is a lot more than just the code. It stipulates things like access control, monitoring the server room, auditing, documentation, etc.

Mar 7, 2008 8:13pm

Joshua Schai... 1 post

Jochen,

Mike’s correct. There is nothing in Active Merchant that will make you PCI DSS-compliant, but it doesn’t open any gaps that aren’t there anyways. Disclosure time: I work for Braintree, so please check on facts, don’t just take my word for it. :)

In reality, no solution gives you PCI compliance out-of-the-box, and be wary of companies who claim that. We do have a solution that removes almost all of the 230+ PCI DSS controls from the scope of your environment by ensuring that no customer sensitive credit card data touches your environment, reducing your in-scope controls to ~10. Unlike Paypal, Google Checkout, or Amazon FPS, we do this transparent to your users, so they never see our involvement at all.

I don’t want to hijack this thread at all, but if you’re interested in talking further, you can find me on the Braintree Developer Community.

For anyone else, a great resource for PCI DSS compliance is the PCI Answers Blog, run by The Aegenis Group.

recipe 33 "Process Recurring Credit Card Payments" vs. PCI DSS

Discussions

Voices

Feb 27, 2008 11:37am Jochen Hayek 4 posts	Within the section ‘Discussion’ Cody Fauser writes, that ‘all other aspects of the PCI DSS are met by the setup’. Justing referring to ‘the setup’ is a little (pls forgive me) wish-wash. So does that reliably mean, that active_merchant itself is ‘PCI DSS’-safe?

Feb 27, 2008 7:07pm Mike Clark Administrator 26 posts	Good question, and I’ll ask the author so we can clarify it in the next revisions. Feel free to file any more errata on the errata page. Thanks!

Mar 3, 2008 1:33am Jochen Hayek 4 posts	So, on March, 2nd, this was renumbered recipe 35, and within ‘Discussion’ the bullet referring to ‘the setup’ just got removed. Smart approach to getting rid of a problem. But the question remains—although it might well be, that it gets answered now somehow anywhere within the recipe text. Just removing the bullet may solve the issue for somebody, who reads this recipe w/o knowing its history, but now, that some doubt arose inside me, how can I forget it?

Mar 3, 2008 2:47pm Mike Clark Administrator 26 posts	Using ActiveMerchant doesn’t mean you’re automatically PCI DSS compliant. ActiveMerchant by itself doesn’t do anything that would make you not compliant. However, being PCI DSS compliant is a lot more than just the code. It stipulates things like access control, monitoring the server room, auditing, documentation, etc.

Mar 7, 2008 8:13pm Joshua Schai... 1 post	Jochen, Mike’s correct. There is nothing in Active Merchant that will make you PCI DSS-compliant, but it doesn’t open any gaps that aren’t there anyways. Disclosure time: I work for Braintree, so please check on facts, don’t just take my word for it. :) In reality, no solution gives you PCI compliance out-of-the-box, and be wary of companies who claim that. We do have a solution that removes almost all of the 230+ PCI DSS controls from the scope of your environment by ensuring that no customer sensitive credit card data touches your environment, reducing your in-scope controls to ~10. Unlike Paypal, Google Checkout, or Amazon FPS, we do this transparent to your users, so they never see our involvement at all. I don’t want to hijack this thread at all, but if you’re interested in talking further, you can find me on the Braintree Developer Community. For anyone else, a great resource for PCI DSS compliance is the PCI Answers Blog, run by The Aegenis Group.