If you wouldn't mind, go ahead and create a ticket and attach your thoughts on what the text should look like. I want to make sure we have big fat disclaimers that you need to know what you're doing before processing payments.
I think it would be best to add the text to the payment modules page here - http://www.satchmoproject.com/docs/dev/payment.html -Chris On Tue, Jul 6, 2010 at 9:52 AM, Alex Robbins <[email protected]>wrote: > Hey guys, I was just watching a video on Braintree Payment Solutions > website. They said that your server enters PCI scope as soon as the > credit card data passes through it. I did a little bit of reading in > the PCI-DSS and it looks like they are right: > > "PCI DSS requirements are applicable if a Primary Account Number (PAN) > is stored, processed, or transmitted. If a PAN is not stored, > processed, or transmitted, PCI DSS requirements do not apply." > > I was under the mistaken impression that as long as you don't store > the card numbers, you are compliant. This isn't the case. Even having > the numbers pass through your server is enough to bring your server > into PCI scope. Maybe everyone else already knows this, but it was a > surprise to me. > > Moving forward, I wonder if we could , at the very least, document > this. Right now using the auth.net, cybersource, protx or > trustcommerce modules would put you under PCI scope. As I understand > it, the size of the merchant affects whether you can self-assess or > not, but it doesn't affect the requirements (including things like one > function per server, no mixing mysql and apache). > > I know it isn't Satchmo's responsibility to handle this, but it'd be > nice to help our users know what they are getting into. Also, there is > definitely a possibility that I am completely confused. > > Braintree's PCI explanation (although they are trying to sell > something): > http://www.braintreepaymentsolutions.com/services/pci-compliance > > > Alex Robbins > 5Q Communications, Inc. > http://www.5Qcommunications.com/ > [email protected] > 800-747-4214 ext 913 (p) > http://www.ask5q.com/twitter/ > > -- > You received this message because you are subscribed to the Google Groups > "Satchmo users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<satchmo-users%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/satchmo-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Satchmo users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/satchmo-users?hl=en.
