(Sorry-- originally sent without subject.) I have a customer who currently has his site set up this way: donors select (on a non-secure page) the level of donation they want to donate, provide their name and an attestation, etc. None of the data confidential. Then they press the button, and we send them off to a secure payment gateway operated by the merchant service company. They take down the credit card and other information, clear the transaction, and pass the approval/disapproval info back to my customer's website. An email then gets fired to my customer containing all the data about the transactions EXCEPT the confidential information, like credit card number, etc. In essence, my customer is not responsible for any confidential/secure information, which is all handled by the merchant gateway. For whatever unknown reason, my customer has been convinced they should go with a different merchant service company. However, this company doesn't have the same kind of secure payment pages. (Yes, they're legitimate, but they're simply a payment processor. They don't have the additional site to accept manual input of payment information and such.) I've explained to my customer that, in doing this, he will need: 1) a fixed IP ($) 2) a security certificate ($) 3) an online store (as opposed to a single page he has now) 4) a whole new set of PCI responsibilities which his organization is not prepared to fulfill. ($) I'm certain people on this list have set up this type of system for customers. So I have some questions: 1) Does the usual online store software (osCommerce or whatever) include "secure" pages for acceptance of credit cards? I know they have the capability to pass this info securely off to places like authorize.net for processing. 2) Assuming a customer website, probably hosted in a shared hosting environment, with appropriate ecommerce store software, how does one deal with PCI compliance? I mean, the customer would have no control over the data center where the site is hosted. Moreover, they would probably have little control over the updating of insecure software, as demanded by PCI. They likely don't have the facilities to do the type of penetration testing PCI wants. So how could they (or how do you) deal with the potentially hundreds of questions the PCI questionnaire asks about all this stuff? How do you, as a programmer doing this for a customer, handle this? Paul -- Paul M. Foster http://noferblatz.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
