40 points
Community rank #1516
signy
VeteranJust Getting Started
MemberLikes (0)
Hi,
I understand there are new PCI DSS requirements that apply to Level 4 merchants (under 20,000 transactions). I note that some other WordPress shopping carts are advertising that they are PCI DSS Complaint (see http://shopplugin.net/updates/2-years-of-wordpress-shopp/).
Questions:
1. Is MarketPress PCI or PCI DSS compliant?
2. Do you plan to get a PCI Compliance Certificate for Marketpress?
3. What steps should I take to ensure that MarketPress is PCI Compliant?
4. Could I combine another PCI compliant shopping cart with Marketpress (so I can use the multisite/vendor marketplace features) to make MarketPress PCI compliant?
1077 pointsCommunity rank #54Supreme DeityIn TrainingLifetime member
Lifetime Member
(joined April 2011)
Likes (0)
That was the question I had from reading those two links above. What if we collect the information on our site, but it is just embedded from another gateway? For example, doesn't PayPal pro allow you to take the info from your site.
Not really a MarketPress question, but something I am wondering.
According to the representative I spoke with, getting certification of the shopping cart is a "nice to have" but not mandatory under the PCI guidelines. The ultimate requirement is passing a quarterly security scanning test that involves hosting and payment processor security issues, among other things (see link above for list of requirements). Knowing that the shopping cart is PCI certified helps in identifying potential security flaws, but so long as you meet all the ultimate standards (through whatever means, including a PCI certified shopping cart), you can satisfy the PCI compliance standards.
If I find out more about this, I will post an update.
8433 pointsCommunity rank #4Supreme DeityWPMU DEV StaffLifetime member
Lead Developer
(joined May 2009)
Likes (0)
The only gateway we have currently that you would need to worry about is Authorize.net AIM.
The plugin requires you to have an SSL cert when using it. We don't store any CC details, that's all handled by Authorize.net, so PCI requirements are minimal. Though it would be your responsibility when using it. It has much more to do with your hosting and company policies. https://www.pcisecuritystandards.org/documents/pci_saq_a_v2.doc
Responses (7)
Lifetime Member (joined April 2011) Likes (0)
Great questions. Would love an article from wpmu.org on this and other precautions on selling online!
Sales & Support Pro (joined March 2010) Likes (0)
Hiya guys,
As MarketPress uses external gateways rather than taking credit card details itself it's not something that we need to build in.
Rather, the compliance is handled by the payment processors, such as PayPal and Amazon.
It's only if you create your own payment gateway collecting card details that you'd need to worry about PCI compliance.
Cheers,
Phil
Lifetime Member (joined April 2011) Likes (0)
That was the question I had from reading those two links above. What if we collect the information on our site, but it is just embedded from another gateway? For example, doesn't PayPal pro allow you to take the info from your site.
Not really a MarketPress question, but something I am wondering.
Member (joined April 2010) Likes (0)
Hi,
To get clarification, I contacted Control Scan, one of the security scanning outfits (see http://www.pcicomplianceguide.org/pcifaqs.php).
According to the representative I spoke with, getting certification of the shopping cart is a "nice to have" but not mandatory under the PCI guidelines. The ultimate requirement is passing a quarterly security scanning test that involves hosting and payment processor security issues, among other things (see link above for list of requirements). Knowing that the shopping cart is PCI certified helps in identifying potential security flaws, but so long as you meet all the ultimate standards (through whatever means, including a PCI certified shopping cart), you can satisfy the PCI compliance standards.
If I find out more about this, I will post an update.
Thanks for the help.
Lead Developer (joined May 2009) Likes (0)
The only gateway we have currently that you would need to worry about is Authorize.net AIM.
The plugin requires you to have an SSL cert when using it. We don't store any CC details, that's all handled by Authorize.net, so PCI requirements are minimal. Though it would be your responsibility when using it. It has much more to do with your hosting and company policies.
https://www.pcisecuritystandards.org/documents/pci_saq_a_v2.doc
Member (joined April 2010) Likes (0)
Thanks. I'll take a look at the SSL cert requirements via my hosting company.
WPMU DEV Fanatic (joined October 2009) Likes (0)
Sounds good, just let us know if any other questions come up and we'll take a look. :)
Thanks,
David
Become a member