Forum OpenACS Q&A: Payment Vaults

Collapse
Posted by Iuri Sampaio on
Hi there,

What solutions do we have for payment vaults on OpenACS?

Collapse
2: Re: Payment Vaults (response to 1)
Posted by Maurizio Martignano on
Dear Iuri,
I see in https://openacs.org/projects/openacs/packages/
a package called "Authorize.net Payment Gateway".
You better check with its author.
Many e-commerce solution have their own PCI Payment Gateway solutions. Before using them you should also check:
1. which Vault(s) they rely upon
2. how compliant with standard the selected gateway (and so your website) is.

Hope it helps,
Maurizio

Collapse
3: Re: Payment Vaults (response to 1)
Posted by Torben Brosten on
Hi,

I found the term "Vault" on pcisecuritystandards.org in only one document; It has to do with forensic investigation guidelines and evidence handling.

https://www.pcisecuritystandards.org/documents/PFI_Program_Guide.pdf

Numerous audits were made of ecommerce a few years ago by different vendors. The only PCI related issue of the system I recall was disclosing credit card expiration date to card holder via email receipt (or web page). It was fixed at the time.

ecommerce doesn't store credit card data after it is used, just set the parameter SaveCreditCardDataP to 0.

The cid is not stored in the db, only passed to the gateway via volatile memory and a service contract.

hope this helps,

Torben

Collapse
4: Re: Payment Vaults (response to 3)
Posted by Iuri Sampaio on
Why would I care about these words?

There are only a few companies in Brazil who are truly PCI compliant. These are large companies with lots of resources. I am also talking to Adyen a Dutch group also operating in Brazil who are a multinational and they have said there is no easy solution to being PCI compliant and will have another conference call with them to discuss possible options. I have another contact with Global Connect who is also a multinational and he also says it is not easy to be PCI compliant. So we are talking to large companies with teams of IT people and all are saying the sharing of credit cards is not that easy or PCI compliance but I have you saying you have the solution multinationals don’t have so forgive me if I am not completely convinced.

Any enlightening idea?

Collapse
5: Re: Payment Vaults (response to 4)
Posted by Torben Brosten on
Well, PCI compliance is not difficult from a programming standpoint with OpenACS.

The difficulty comes in paying a third party to certify that the software is PCI compliant. iirc some vendors were asked to pay over 10,000USD in circa 2003 for third party auditing and certification.

Last I checked, circa 2004, Payment gateway services (and the credit card companies) did not require a vendor to certify their system if the annual revenue is relatively low (under a million USD or something). They just had to agree that they performed the audit on software they were part of author of, and that the software met PCI requirements.

Audits were done, but I'm not aware of any official certification bein published.

I think you can be confident in having ecommerce audited, that any issues found could easily be addressed.

That said, if you point to the PCI software requirements, I'll be glad to help identify how ecommerce and related packages meet the requirements.

cheers,

Torben

Collapse
6: Re: Payment Vaults (response to 4)
Posted by Steve Manning on
Luri

Don't forget that true PCIDSS compliance isn't just the software on the server but also the network on which your server sits. Any other machines on that network and all the people that have access to them. Its a right royal pain in the arse.

If its any use to you, we use Verifone's Vanguard solution http://www.verifone.co.uk/. It mitigates the PCIDSS requirement by bypassing your server to obtain tokens to represent the EFT transaction.

Normally, card details are submitted to your server, forwarded to Verfione to obtain a token, and then discarded.

The Vanguard solution short-circuits this by sending card details directly from the user's browser to Verifone, using an embedded form to obtain a token, so that your server only ever receives tokens and never sensitive card details.

Therefore you can safely declare that you don't handle cards and don't need to be compliant.

Regards

- Steve

Collapse
7: Re: Payment Vaults (response to 1)
Posted by Jim Lynch on
Hi, aren't the payment gateway packages in openacs meant to go with ecommerce? What other application in openacs can they go with?
Collapse
8: Re: Payment Vaults (response to 7)
Posted by Benjamin Brink on
Hi Jim,

ecommerce package is an early OpenACS package designed to provide a commonly needed set of shopping-basket features.

payment gateway packages are set-up to be used with any ecommerce-like package.

payment-gateway package integrates an ecommerce-like package with a payment gateway package by creating an ACS service contract via the acs-service-contract package; Most of payment-gateway's documentation is in the payment-gateway-sc-create.sql file and the docs at https://openacs.org/doc/acs-service-contract

From what I understand, the system is designed to work with variants of ecommerce and gateway packages with different features to handle different commerce conditions.