If I run a shopping cart application, does the web server need to be PCI compliant? The reason I ask because of the fact that I don't process the payments on the site anyway. The main payment method will be through Paypal.
I have not decided yet which shopping cart application that I will use: it could be one of the followings: opencart, magento, zen-cart
Thank you for your input.
No
Since paypal will be handling credit card data.
see pci compliance faq
Q: To whom does PCI apply?
A: PCI
applies to ALL organizations or
merchants, regardless of size or
number of transactions, that accepts,
transmits or stores any cardholder
data. Said another way, if any
customer of that organization ever
pays the merchant directly using a
credit card or debit card, then the
PCI DSS requirements apply.
Related
We want to integrate a 3rd party service, regarding payments, their API waiting PAN & expiration date, and we need to determinate what PCI level do we need?
So, we just collect this data on client, send them to our server which will send data to them, we do not store it in database.
If your server can see this data, you need PCI SAQ-D, end of story. It doesn’t matter if you’re storing it or not, what matters is that someone who compromises your server can see it in transit. And if you’re asking this question, you do not want to be responsible for all the requirements of D.
To qualify for SAQ-A, or SAQ-A-EP, which are the only other two valid for websites, the card data needs to never come to your server in a readable form. That could mean redirecting the user to a page hosted by your payment processor to enter their data, embedding an iframe they provide, posting it directly to them from the front end (i.e. JavaScript POST), or (maybe) encrypting it with a key that only they can decrypt.
More information can be found in the official summary document
I have a web application where I would like the card reader to scan our school's student ID cards and come out with their ID number. Our original system for managing this with the relevant card readers already has it preset to work, however, now I am trying to use the card reader for web browser forms.
I have coded my pages using Classic ASP and have the data linked to a MS Access Database. The card reader I am using is linked to a program application called Campus Online which manages our student ID cards and data. I am using an ACR122U card reader which works perfectly with our Campus Database.
Simply put, I want to be able to first open the homepage where the scan would need to take place. Scan the student ID card with the card reader in which the desired data (Student ID) will appear in the form field and submit. I've been searching for a couple of days now for a solution but there doesn't seem to be any clear answers to this. I am aware of the post at: How to read a mifare 1k card through ACR122U NFC Tag reader connected to local machine in a web application but it has clearly not answered my question on how to integrate the card reader with my web pages. It only shows demos that do not work with my card reader.
If there is any reference of code, online services that are available to do this or a method on how to integrate the ACR122U card reader with web pages, that would be best.
Thanks for the assistance.
You probably wanting to look into using ACR122U NFC Contactless Smart Card Reader Software Development Kit
How ever you look at this you will have to build some client application to facilitate the action of detecting the card, reading it and then outputting the Student ID to the Web Application window. There is no quick fix I'm afraid.
Luckily your card reader is PC/SC compliant which will make it easier to write something that can interface in a standard way to facilitate your required function. You want to look at using the winscard.dll to use the PC/SC functions built into the Windows OS.
Summary of what you need
Build an application (C++, .Net, Java or some other mainstream programming language that can access the PC/SC APIs in Windows) to do the following;
Detect the card reader.
Detect the card.
Detect the web application window (be it a browser window, custom app etc).
Read the Student ID (depending on whether you are talking about the UID of the card, you may need to perform some key based authentication of the card).
Pass-through the value (active window and injecting standard output).
Well this is quite old, but i was strugling with figuring it out too so I've decided to create some sort of "deamon" in .NET - you can create service, small app running in the background.
Then i've connected it to the websocket, and subscribed socket messages in my web application. now when i use card in my reader, the deamon reads it, and sens message to web socket. then web socket sends it to the app and voila
Is there any reliable geolocation service which could provide me with the latitude and longitude of a mobile device.
I need something like Google Gears(which is unfortunately discontinued) where I can give various data about the carriers cell the device is currently in etc. and get the latitude and longitude.
If the device you have does not support the Location API in HTML5, then you can use the IP address to get the location of the device. Have a look at services like www.maxmind.com. They have a basic free service that does location lookup basedon IP. The free service is accurate to city level. Beware that:
You'll need to implement this server side
It's accuracy is limited, and can be confused by people connecting over corporate networks, or proxies like Opera Mobile Browser.
HTML5 includes a geolocation method: see http://html5demos.com/geo
So it turns out that for a GSM Blackberry device with OS 5 there is no good alternative for getting the location to the standard satellite lock.
WIFI and Cellsite services are not available and unless you have a very good server with huge database with locations of carrier cells all over the world you cannot do anything effective.
We have never transmitted, processed or stored credit card information in the past as we did everything via PayPal so we never needed to be PCI compliant.
However, we are launching a new online store and by having a seamless checkout where credit card information in processed without redirected to PayPal, we need PCI compliance now.
We are going to consult a Qualified Security Assessor Company to guide us through getting and maintaining PCI compliance. However, I wanted to get a decent idea of what i'm looking at before consulting them, before they try to sell you every service in the house that you may not need.
In terms of PCI compliance, I understand it needs to be done on the software and hardware level and meet the 12 points + required. We are going with Magento Professional as it has a PCI compliant payment system, and we are going with a PCI compliant web hosting company (dedicated server). But in terms of software, do you need PCI compliance on EVERYTHING? Or just the software that transmits, store and processes credit card information?
For example, according to Magento, the Payment Software is PCI compliant, while the Magento Platform is not. So this allows you to make changes, modifications and customisations to Magento without affecting the PCI compliance of the payment software.
In other words, i'm asking, do you only need PCI compliance on the source code/software that deals with transmitting, processing and storing credit card information? These 'Qualified Security Assessor Companies' give the impression that all source code needs to be checked for PCI compliance, which is impossible!
For example, in the case of Magento, can I make changes and modifications to it and still remain PCI compliant? So long as the payment module is untouched since it is PCI compliant and the web hosting, server and OS is PCI compliant?
I mean the php, javascript, mysql stuff that does not deal with credit cards don't need to be compliant do they? they will be on the same server of course.
The basic answer is that it depends. In general, only the source code that deals (or can deal) with the sensitive and protected data of PCI needs to be PCI compliant. However, this means that if other areas of your code have access into the secure areas, you need security there as well. If another area of your application were to be vulnerable to SQL injection, for instance, it might compromise your credit card systems. That is why some people will lean towards PCI compliance for all software. There has to be some assurance that a poorly-written piece of software can be exploited to compromise the safety of the data.
I say it depends because there is always some room for interpretation by those doing the inspection. However, the good news is that of all the standards, PCI seems to be the most direct and specific about what you need to do and what you cannot do. Here is more information about what PCI says directly:
https://www.pcisecuritystandards.org/documents/infosupp_6_6_applicationfirewalls_codereviews.pdf
The basic issue here is to be sure that the site cannot be exploited anywhere. If you develop sufficient "firewalls" between your application areas (credit card data versus normal website), it will go a long way towards showing that you only need to scan some code. Also, as the above document states, you don't have to do a source code review in order to be PCI compliant. However, your application needs to be extensively tested to be sure it is safe from typical vulnerabilities.
I can't speak to the legal details of PCI compliance, but if I were an auditor of your system I would squawk very loudly if any non-certified code runs as the same userid that runs the certified code.
I'd also look pretty closely at what setuid/setgid executables are on the system, what runs as root or with elevated capabilities(7) that could influence the PCI-compliant software, and I'd probably demand mandatory access control tools such as AppArmor, SElinux, TOMOYO, or SMACK, and an appropriate configuration that prevents tampering with the PCI-compliant portions of the server by untrusted execution domains.
From few months ago when i was using twitter, i was able to send twitter a SMS and when i go home and check my twitter page, i see the SMS i sent is on the website as a tweet. "That was great"
Now, i want to make the same in my website, so someone will send my website SMS as a command and my website will save this command in the db for future processing.
My problem that i don't know where to begin.
1- How users will send from around the world while there are different mobile companies in each country, or thats not a problem?
2- How my website will receive and read these SMS? there is a service for that?
3- Do you know any articles which simplify these tasks for me?
If someone worked on something like that before, please advice, any info will be helpful.
Contact your messaging provider, they will have solutions for each country they support.
In practice these things need to be agreed on a per-country bases (e.g. shortcodes etc), but the providers will do a lot to help.
Depending on what countries you want to cover, a single provider will probably do it - if you need absolutely every country with a mobile network, then you might need several, in which case integration is more complicated.
Typically they send either a HTTP POST, or a SMTP email to your server when they receive a message to your company's shortcode or shortcode prefix. But the integration options that exist are agreed per provider; there is no real standard or de-facto standard.
Well, first of all you need a sms-gateway. This is a service which you can buy a lot of places with varying prices. Your site can communicate with this gateway in different ways depending on the gateway-host.
Now, you can send messages to the number you bought on the sms-server and poll them (or push, again depending on your sms-provider) to your site. Just as with any other sms "IRL", you can use country codes to send a very costly SMS from around the globe. If you wish to keep this price lower, you need to rent a SMS-gateway which is internationalized or you need to rent one in each country...
.. In conclusion, doing this is not really a feasable option for your small "hobby-type" project :) Renting a SMS-gateway is rather cheap though, so the problem is really in your "multiple countries" request ..
I have created a web service for sending and receiving SMS messages. We are connecting through VPN to the SMS gateway of the local GSM operator: they have assigned us an public number as well as the option to send messages worldwide.
It doesn't matter if we send sms worldwide or receive from anyone - it just work :)
International sms might be a bit more expensive to send.
Edit:
theoretically there is a possibility to send sms thgrough an sip provider (like betamax /voipdiscount.com/) but this is not so fast and reliable comparing to traditional service.
I've had some success in the past with http://www.aspsms.com/
This is a paid service (per SMS) and be aware that you need to pay and FAX (yes, FAX...) your identity information to the before you get an API key.