Great Ideas. Always Flowing.

We are not happy until you are happy. Client satisfaction guaranteed. Whatever your needs and requirements, we have the skills and resources for the job!

Quick login...


Or... now make it easy with Facebook Integration
Connect via Facebook



Top Sellers

Frustrated over the lack of customization for your user's registration fields? Dynamically setup your DNN Portal with custom registration fields, layout, questions, and other core integration options......

Ultra Video Gallery is a brother product of Ultra Media Gallery, UVG allows you to upload videos in various format and automatically encode them to flv or H264 format, you also can add videos from internet or record live videos from your webcam.

Build high performance, completely customizable data-entry forms and views driven by your DNN and external databases. New built-in tools make it a snap to quickly create data entry forms, data views, and even database tables. Plus, add your own HTML, CSS, Javascript, SQL commands, stored procedures,

The most advanced DotNetNuke shopping cart on the planet. Easy to use e-Commerce, Secure Shopping Cart Software and SEO friendly. B2C / B2B Ecommerce Sites.

One stop solution for events calendar and events registration! FREE DOWNLOAD is available now!

PCI Compliance for DF PayPal integration
Last Post 05-25-2012 07:26 AM by Candace. 6 Replies.
AddThis - Bookmarking and Sharing Button Printer Friendly
  •  
  •  
  •  
  •  
  •  
Sort:
PrevPrev NextNext
You are not authorized to post a reply.
Author Messages Resolved
Dan C.User is Offline
river guide
river guide
Posts:82
Avatar

--
05-22-2012 03:49 PM
    Recently it was brought to my attention that sites (companies of sites) that handle the selling of goods, services, subscriptions, etc.. involving payment processing must be PCI compliant.

    What experience have you had with being PCI compliant? 
    With DF I have linked many a form to PayPal for payment processing and never had a worry with PCI compliance as no payment information is being collected.  

    It has recently been brought to my attention that is about to change. I am told (not 1st hand) that US based companies that sell anything online, regardless of whether they handle payment details or pass the user to a payment processor and never receive sensitive payment information, MUST be PCI compliant. 

    Really? Wouldn't be the first time bureaucrats made a complete mess of it all but this seems genuinely hard to believe.

    What is your experience and how do you stay PCI compliant with DF?
    Ryan BakerinkUser is Offline
    river guide
    river guide
    Posts:1900
    Avatar

    --
    05-23-2012 06:37 AM
    Hello Dan,

    I have been using Dynamic Forms for 2+ years and never really had the chance to become familiar directly with PCI standards. It becomes difficult to ensure that standards are followed for certain regulatory specifications, since there are so many out there.

    Can you please let me know more directly as what sections you're not certain if Dynamic Forms is PCI compliant?

    Are you wondering about how to prevent saving sensitive credit card information in tables?

    Please let me know more specifically what you're seeking to have responses to based on PCI compliance.

    Thanks,

    Ryan
    CandaceUser is Offline
    river guide
    river guide
    Posts:2431
    Avatar

    --
    05-23-2012 07:21 AM
    Hi Dan,

    PCI compliance simply makes sure security is in place in case a merchant chooses to store sensitive customer information like credit card numbers, expiration dates, etc. in their database.  Some merchants like to store this info for record keeping purposes.  Or it may be customer-friendly for merchants to save these details so returning customers do not have to re-enter their card info when re-ordering but this comes with risks, of course. There are specific requirements to make sure that this type of information is not easily hacked into.

    So, you are right, if you are using PayPal Standard where your site "never sees" your customer's financial information, there is not much concern for PCI compliance. All the checks and balances are actually required on the side of PayPal.

    On the other hand, if you choose to use credit cards on your site with, say, Authorize.net, then you do need to think about PCI compliance. In Dynamic Forms and Dynamic Registration, you can set credit card related fields to either not save input in database or to encrypt/decrypt. You'll find this under Advanced Field Options.

    Here's a link that might help: https://www.pcisecuritystandards.org/merchants/index.php

    Please let us know if you come across new information regarding PCI compliance laws and requirements.

    Thanks!
    Candace


    Dan C.User is Offline
    river guide
    river guide
    Posts:82
    Avatar

    --
    05-23-2012 09:46 AM
    Candace - I agree with you, this is how I think it should be interpreted.

    On the site you mentioned, I was researching several key points that stood out to me:

    1.) (sited from the website ref above)
    Q: To whom does PCI apply?
    A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

    In the Q&A sited above it states basically any cardholder data; further down the page on the site referenced above it defines cardholder data:

    2.)
    Q: What is defined as ‘cardholder data’?
    A: Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.

    This presents an interesting point - most forms store 'who' filled the form out and passes that information to PayPal and according to this definition of cardholder data falls under the PCI compliance definition.

    PayPal does offer a PayFlow service to better assist with managing PCI compliance but it appears all organizations with public facing access (websites IP's, etc.) that meet the cardholder definition, must undergo security scans, self evaluation surveys, etc..

    Considering the duration of time DNN has incorporated PayPal (and other payment processors) this seems like a significant area of contention that the community would have addressed but more importantly the commercial customers would be required to do especially with user registration, etc..

    Until recently I had the same perspective as you and others on the forum but this is not passing muster with auditors that have much latitude when interpreting the above standard that can identify a purchasers name and/or address.
    CandaceUser is Offline
    river guide
    river guide
    Posts:2431
    Avatar

    --
    05-24-2012 07:44 AM
    Hi Dan,

    Yes, everyone in the DNN community should be aware and striving to meet PCI requirements. I feel that this quote from above makes a difference:

    Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.


    If your customer is paying through PayPal Standard, your customer is technically not paying you, the merchant, directly using a credit card or debit card. They are authorizing a transfer of funds to PayPal and you are essentially receiving payment from PayPal associated with that user. That means that in your own database, there is no credit/debit/bank information that can be associated with your user. This, I think, is one of PayPal's "selling points."

    Of course, I am not a lawyer (this is not legal advice) and I will encourage you to perform security scans, etc. as you see fit. You might also bring this up in the DNN community forums and the PayPal forums and see what feedback you get. I'd be interested to know, too.

    Thanks!
    Candace


    Dan C.User is Offline
    river guide
    river guide
    Posts:82
    Avatar

    --
    05-24-2012 10:03 AM
    • Accepted Answer
    I asked the same question on a different DNN related forum and received this reference: Robb Bryn has a blog at www.dotnetnukefool.com/Blog.aspx that includes a nice three part series on PCI Compliance and DotNetNuke. 

    My Response:
    This is a really good article and if correct (and I believe it is), as a host or admin, etc.. it is 'my' responsibility to be compliant. 


    Does it appear PCI compliance is only necessary if I collect credit card information or social security numbers? 

    NO - even if you're passing a form user's name and address to a payment processor you ARE collecting cardholder information and you should be PCI compliant. 

    Are you going to get audited? Who knows but that article is extremely helpful in getting it setup and how to manage the process of getting compliant. 

    Again, if you think (like I did) that because you're not collecting credit card data, but passing it to a processor from a form, you are using way too much common sense and should check with a fickle auditor that thought the IRS was too relaxed and wanted a real challenge like PCI or SOX compliance... (lol). 

    Good news is the best DNN hosting data centers already meet these challenges and DNN is built to support compliance measures you must take. 

    Best of luck to everyone.
    CandaceUser is Offline
    river guide
    river guide
    Posts:2431
    Avatar

    --
    05-25-2012 07:26 AM
    Ahh -- the blog was very informative! Thanks for sharing Dan!
    You are not authorized to post a reply.


     
     

    Join our mailing list...

    Get current news and events the easy way
     
     
       
    Subscribe Me

    Recent Blogs...

     
    Copyright 2005 - 2011 by Data Springs, Inc.
     
  • film izle
  • 720 izle
  • film
  • sinema izle
  • film makinesi
  • T�rk�e dublaj film
  • film izle
  • film izle
  • baglan film izle
  • sinema izle
  • 1080 film izle
  • film mercegi