[GRLUG] PCI v1.2 Compliance.

Greg Folkert greg at gregfolkert.net
Thu Dec 11 13:57:53 EST 2008 

On Thu, 2008-12-11 at 12:35 -0500, Michael Mol wrote:
> On Thu, Dec 11, 2008 at 12:19 PM, Greg Folkert <greg at gregfolkert.net> wrote:
> > On Wed, 2008-12-10 at 18:29 -0500, Greg Folkert wrote:
> >> be wrned, my reply is long and could have been orders of magnitude
> >> longer.
> >>
> >> On Wed, 2008-12-10 at 16:05 -0500, Adam Tauno Williams wrote:
> >> > On Wed, 2008-12-10 at 15:21 -0500, Greg Folkert wrote:
> >> > > All I can say it *IT SUCKS*.
> >> >
> >> > Actually I think PCI is a pretty good standard.  I think 98% of the
> >> > recommendations are solid/good practices.   And it makes a nice club to
> >> > beat good security practices into an organization.
> >>
> > [snip lotsa stuff]
> >
> > Any comments from anyone? Or insight? Or contrarian thoughts? Or flames?
> >
> > I'd have really thought many people would feel this... or at least have
> > more comments than from the regular peanut gallery.
> 
> What's the cost comparison to just accepting PayPal?

We have a paypal gateway. Credit cards are integrated into our product
for things like recurring payments and returning
customer/constituents... a separate "cart and checkout" is seen by many
of our customers(read as ministries) as a bad thing, perception is 90%
of getting the donations through a campaign and they are very
particular.

We secure everything with GeoTrust SSL certificates and have many many
many safe guards in place, particularly input escaping on all 4 layers
of our product plus the web side of things.

You see, you are thinking of using an "outside service" vs part of your
complete system. CRM (comprehansive customer relationship management
systems) we have donation/spending data going back 35 years on some
"constituents" as our customers WANT it to be there. Previous addresses,
previous phone numbers, records of each "telephone conversation" over
the past years, kids names, anniversaries, important topics... pretty
much ANYTHING available to the phone operators... its also available
through the web APIs we have developed through access through (SSLified)
SOAP (slow slow slow 4-20 seconds initial response typically) and an
encrypted Binary stream (same info, 250ms initial response with data).

We aren't talking SugarCRM here which is very new compared to our whole
design and data relationships setup. We have our default data
structures, plus tables within tables and views on the tables inside the
table. These "supplemental" records are those tables inside this table.
Each with indexes and uniqueness in them. Some customer's supplemental
table exceeds 80 Million records.

It all about our customer wanting to be full service and making things
happen right away.

We also have CashLinq, Beanstream and about 5 other payment gateways for
our customers. This is what makes us a Level 1 provider.

The more questions the better.
-- 
greg at gregfolkert.net
PGP key 1024D/B524687C 2003-08-05
Fingerprint: E1D3 E3D7 5850 957E FED0  2B3A ED66 6971 B524 687C
Alternate Fingerprint: 09F9 1102 9D74  E35B D841 56C5 6356 88C0
Alternate Fingerprint: 455F E104 22CA  29C4 933F 9505 2B79 2AB2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url : http://shinobu.grlug.org/pipermail/grlug/attachments/20081211/8820dd49/attachment.pgp

More information about the grlug mailing list