jigarshah48 wrote:Hi,
I also wanted to know whether the latest version 1.80 is complaint with PCI DSS Compliance ?
If yes then can we get detail information that how it's been compliant ?
Thanks
To satisfy your bank that your site is PCI compliant you'd generally have to show that you are using a host that has passed PCI compliance, a payment system that is certified, plus that you are running a compliant shopping cart application. The certification for shopping carts ("payment applications) is called PA-DSS.
There are very few certified shopping carts at present, largely because the cost of getting certified is astronomical (well over 10,000 dollars, and then ongoing costs each year). If you take Magento for example, the paid for versions (very expensive) are certified, but the free one that the vast majority are running are not.
Under the rules as defined by the people who run PCI (ie visa et al) a payment application is an application that "stores, transmits or processes card holder data". So under this interpretation, if you use a third party payment system like Paypal, Worldpay, etc and use one of the implementation options where the credit card info is entered directly on the third party site (rather than being taken on your own site and then passed in real time to the gateway) then under the specification, nop is not acting as a payment application (since it neither stores, processes or transmits card holder data).
Paypal on its own site appears to take this interpretation...
https://www.paypal.com/pcicomplianceAnd since PCI is about keeping your merchant account provider (and/or bank) happy, then if paypal are happy, you can be too.
However there appears to be a lot of confusion out there, and also nop would be a payment application where you accept cards on your site, and then pass them (encrypted or otherwise) to a third party gateway (you aren't storing or processing, but you are "transmitting"). If you are storing credit card details in the database then things are even more difficult - my advice is don't do this, just don't do it.
But the fact is that you don't need a certified cart, unless you choose one of the gateway implementations where nop will be taking card holder details. If you really need to do that, you're probably going to have to spend some serious money to buy an application that has gone through the expense of being certified... your PCI compliance will likely also require much more work, like staff vetting (make sure they aren't criminals), network security in your office, etc, as well as insisting the software is PA-DSS.
Nop is free, so you can't expect the guys to spend 10,000 dollars or more on PA-DSS. If we want it certified, its up to us, the users, to raise the money. Threatening to take your business elsewhere is unlikely to persuade them to pay for it - after all they give you the software for free, so if you go elsewhere, they aren't losing out, this isn't like a traditional "i'll take my business elsewhere" situation.
