PCI Compliance

This is an open forum for any mojoPortal topics that don't fall into the other categories.

This thread is closed to new posts. You must sign in to post in the forums.
9/29/2010 9:43:15 PM
page8workaholic
Gravatar
Total Posts 5
View Posts

PCI Compliance

Hello everyone! Let me start by saying thank you very much to the powers that be for producing a wonderful system. When I began working with CMS software I started off implementing some of the larger/better know packages out there only to quickly become frustrated from all the hoops one much jump through as a developer to extend their system. (what a pain!) Then I came across mojoPortal and was pleasantly surprised at just how easy it is to extend right out of the box! I can see me using this product for years to come!  

Ok, on to my question (don't want anyone getting the big head wink)... I was just curious if anyone has looked into what (if any) changes would be required to allow mojoPortal to pass PCI Compliance testing? For some of my smaller clients I'm thinking that the e-commerce portion of the system my be sufficient for their needs, but before diving into the code surrounding that area of the project I figured I might check and see if others that are more in the know might be able to provide some feedback/direction.

Thanks, and thanks again for a wonderful project! Keep up the good work.

9/30/2010 7:03:30 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: PCI Compliance

Hi,

The first thing you should understand is that our WebStore feature is not currently a general purpose ecommerce solution. It is suitable for selling some download products but does not have shipping calculations so it is not really built for shippable products yet and overall has a very limited feature set. I use it on this site to sell my add on products on this site and I share the feature with others in case it might be enough to meet their needs. Eventually it will evolve to a more feature rich solution, but it is not there today. So PCI concerns aside it may not be/probably is not suitable for your needs at this time.

I "think" PCI compliance is mainly a concern when directly processing credit card payments within the site, ie using Authorize.NET or PlugNPay, whereas those who use only PayPal and Google Checkout, the processing of payment happens at the paypal or google servers and we collect no credit card information and are not directly involved in processing the payments.

I can also say, that  I followed the best practice guidelines provided by Authorize.NET documentation and other related documentation from Visa, and I think we are probably in compliance since we do not retain any credit card data in the database at all. The user enters the information in a page protected by ssl, it posts to the mojoportal server and from there a secure server to server web request is made to the gateway (ie Authorize.NET). We do not keep the credit card number nor security codes anywhere. We only keep auth codes and transaction ids.

Hope it helps,

Joe

11/18/2010 5:06:47 PM
page8workaholic
Gravatar
Total Posts 5
View Posts

Re: PCI Compliance

Hey Joe,

I apologize for the late response, but thank you for taking the time to get back with me.

You must sign in to post in the forums. This thread is closed to new posts.