Forum OpenACS Q&A: Re: Payment Vaults

3: Re: Payment Vaults (response to 1)
Posted by Torben Brosten on

I found the term "Vault" on in only one document; It has to do with forensic investigation guidelines and evidence handling.

Numerous audits were made of ecommerce a few years ago by different vendors. The only PCI related issue of the system I recall was disclosing credit card expiration date to card holder via email receipt (or web page). It was fixed at the time.

ecommerce doesn't store credit card data after it is used, just set the parameter SaveCreditCardDataP to 0.

The cid is not stored in the db, only passed to the gateway via volatile memory and a service contract.

hope this helps,


4: Re: Payment Vaults (response to 3)
Posted by Iuri Sampaio on
Why would I care about these words?

There are only a few companies in Brazil who are truly PCI compliant. These are large companies with lots of resources. I am also talking to Adyen a Dutch group also operating in Brazil who are a multinational and they have said there is no easy solution to being PCI compliant and will have another conference call with them to discuss possible options. I have another contact with Global Connect who is also a multinational and he also says it is not easy to be PCI compliant. So we are talking to large companies with teams of IT people and all are saying the sharing of credit cards is not that easy or PCI compliance but I have you saying you have the solution multinationals don’t have so forgive me if I am not completely convinced.

Any enlightening idea?

5: Re: Payment Vaults (response to 4)
Posted by Torben Brosten on
Well, PCI compliance is not difficult from a programming standpoint with OpenACS.

The difficulty comes in paying a third party to certify that the software is PCI compliant. iirc some vendors were asked to pay over 10,000USD in circa 2003 for third party auditing and certification.

Last I checked, circa 2004, Payment gateway services (and the credit card companies) did not require a vendor to certify their system if the annual revenue is relatively low (under a million USD or something). They just had to agree that they performed the audit on software they were part of author of, and that the software met PCI requirements.

Audits were done, but I'm not aware of any official certification bein published.

I think you can be confident in having ecommerce audited, that any issues found could easily be addressed.

That said, if you point to the PCI software requirements, I'll be glad to help identify how ecommerce and related packages meet the requirements.



6: Re: Payment Vaults (response to 4)
Posted by Steve Manning on

Don't forget that true PCIDSS compliance isn't just the software on the server but also the network on which your server sits. Any other machines on that network and all the people that have access to them. Its a right royal pain in the arse.

If its any use to you, we use Verifone's Vanguard solution It mitigates the PCIDSS requirement by bypassing your server to obtain tokens to represent the EFT transaction.

Normally, card details are submitted to your server, forwarded to Verfione to obtain a token, and then discarded.

The Vanguard solution short-circuits this by sending card details directly from the user's browser to Verifone, using an embedded form to obtain a token, so that your server only ever receives tokens and never sensitive card details.

Therefore you can safely declare that you don't handle cards and don't need to be compliant.


- Steve