daveb wrote:
3: if you do store credit card details on your server then you have to be PCI certified and compliant, either done yourself or via a company like security metrics.
I can't see any reason for anyone to store CC details on their server. It's just asking for trouble.
I don't think just storing credit card details on your server is an issue - it's also processing card details
i.e. taking card details from a web page, returning them to the server, processing payment, then discarding the card number still means you are handling card details and your server, the network it is on, and anyone accessing the server needs to be covered under your PCI compliance
Why, if you are not storing the data?
If, for example, a tech at your ISP can access your server, there is the possibility that they can harvest those card details.
If your whole setup is PCI compliant (and not just the application - that's just the starting point) then this should not be possible.
Where staff may be able to access sensitive data, the PCI questionnaire requires them to be credit checked, to make sure they are not skint and looking for a way out.
The rules are really quite detailed.
If you are not sure, go to
https://www.pcisecuritystandards.org/merchants/self_assessment_form.php, click on the 'Select and download your SAQ' link then on the ext page download the first doc 'PCI DSS v2.0' (you'll need to register I think)
When you've read it, you'll perhaps understand why achieving compliance is so difficult.
With nopCommerce, just adding a new payment method would render the certification invalid and as so many people develop and extend it, lots of versions out there will not be compliant.
Commercial ecommerce platforms, which aren't editable in the same way, don't suffer this problem.