small medium large xlarge

27 Feb 2008, 20:29
Jochen Hayek (6 posts)

Within the section ‘Discussion’ Cody Fauser writes, that ‘all other aspects of the PCI DSS are met by the setup’.

Justing referring to ‘the setup’ is a little (pls forgive me) wish-wash.

So does that reliably mean, that active_merchant itself is ‘PCI DSS’-safe?

27 Feb 2008, 19:07
Mike Clark (51 posts)

Good question, and I’ll ask the author so we can clarify it in the next revisions. Feel free to file any more errata on the errata page.


03 Mar 2008, 01:33
Jochen Hayek (6 posts)

So, on March, 2nd, this was renumbered recipe 35, and within ‘Discussion’ the bullet referring to ‘the setup’ just got removed. Smart approach to getting rid of a problem. But the question remains–although it might well be, that it gets answered now somehow anywhere within the recipe text.

Just removing the bullet may solve the issue for somebody, who reads this recipe w/o knowing its history, but now, that some doubt arose inside me, how can I forget it?

03 Mar 2008, 14:47
Mike Clark (51 posts)

Using ActiveMerchant doesn’t mean you’re automatically PCI DSS compliant. ActiveMerchant by itself doesn’t do anything that would make you not compliant. However, being PCI DSS compliant is a lot more than just the code. It stipulates things like access control, monitoring the server room, auditing, documentation, etc.

07 Mar 2008, 20:19
Joshua Schairbaum (1 post)


Mike’s correct. There is nothing in Active Merchant that will make you PCI DSS-compliant, but it doesn’t open any gaps that aren’t there anyways. Disclosure time: I work for “Braintree”:http://www.braintreepaymentsolutions, so please check on facts, don’t just take my word for it. :)

In reality, no solution gives you PCI compliance out-of-the-box, and be wary of companies who claim that. We do have a solution that removes almost all of the 230+ PCI DSS controls from the scope of your environment by ensuring that no customer sensitive credit card data touches your environment, reducing your in-scope controls to ~10. Unlike Paypal, Google Checkout, or Amazon FPS, we do this transparent to your users, so they never see our involvement at all.

I don’t want to hijack this thread at all, but if you’re interested in talking further, you can find me on the “Braintree Developer Community”:

For anyone else, a great resource for PCI DSS compliance is the “PCI Answers Blog”:, run by The Aegenis Group.

You must be logged in to comment