PCI compliant - Ecommerce - Ecommerce - Progress Community
 Ecommerce

PCI compliant

  • PCI compliant
  • How does the eCommerce module sit with PCI compliance?
  • Hello,

    The ecommerce module is currently preparing for PCI certification which is very time consuming so I can`t give an exact date to get certified. We are working hard towards getting Sitefinity ecommerce PCI compliant. It is currently not PCI compliant, but when it is we will announce it in the release notes.
     
    Greetings,
    Stanislav Velikov
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  • Is there an update on this topic?
  • Sorry for the double post....
  • Hey John,

    It's still a work in progress...

    Jochem.
  • Any news on PCI certification?
  • Hey Philip,

    Officially no news...

    My tea leafs say it won't happen till after the new release (also given the fact that Ivan Osmak during the London conference promised a bug-free Ecommerce).

    Jochem.
  • Is being PCI-compliant considered included in that bug-free e-commerce promise? That seems like a critical hurdle that needs to be overcome in order to be a relevant solution. Our clients, merchants, and their customers are at too much risk using a non-certified tool.

    As a partner we're disappointed this isn't complete and is even available for production use in its current state.


  • Hey John,

    Honestly I don't know if PCI-Compliance is 'included' in the bug-free promise. I'm keeping a close watch on the ecommerce development and tried to jump on any issue since it was introduced in v4.2.1650 but still, I'm an outsider so I can't speak for Telerik.

    PCI compliance is about security and in the case of Sitefinity (being a payment application in terms of PCI) it falls under even stronger guidelines. I'm not aware of any security related issues, but I think Ivan's statement was in light of 'annoying' & 'breaking' issues that were non payment related.

    ---

    I believe what's holding up PCI compliance is two main issues: 'partially related maturity' and 'offsite payment providers'.

    'Partially related maturity'
    For instance in the last release (5.0.2800) they fixed a bug regarding European use of ',' as a decimal separator instead of the '.' (comma vs period) with regards to discounts in multi-lingual environments. Or in the release before that, a weight field was carrying a ',' as decimal separator in the db although it functioned properly inside Sitefinity. 

    Ecommerce hasn't been around for a year yet and there are still little edge cases that need to be smooth over and protected. So even though strictly these don't fall under 'PCI' they're still important issues they want to get out of the way first.

    'Offsite payment providers'
    Sitefinity chose to support offsite payment providers as well, where you browse to the payment processor's website to complete the transaction and then return to Sitefinity with an 'ok'.

    This has been on the road map for some Q's and it wouldn't have made sense to first get PCI certification and then on the next release go through the process again... (unfortunately 'offsite' has been postponed some Q's but you can see the business decision behind it).

    ---

    To sum it up:
    All I'm saying is educated guessing, I have no official inside information, but since nobody's making an official detailed explanation I'm sharing what I know and believe.

    The lack of compliance is due to business decisions and time consuming audits and even though Ivan didn't mean to include 'pci-compliance' when he made the promise, I'm confident we'll see 'pci-compliance' with or shortly after the next release.

    Jochem
  • Hello

    Sitefinity is currently going through PA-DSS compliance. PA-DSS stands for “Payment Application Data Security Standard”.   It is the merchant who has to be PCI-DSS certified, however a merchant cannot be PCI-DSS Certified if they are not using a PA-DSS compliant software.

    The PA-DSS assessment is conducted by a third party service provider and usually takes between 6 to 12 months to complete.   Sitefinity will pass any third party screen service which are services that scan for security vulnerabilities of a web site.  These scanning services are usually required by banks or merchant service providers every quarter.

    Greetings,
    Stanislav Velikov
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  • Hi, 

    Has there been any progress on the PA-DSS compliance?

    Thanks!
    Lee. 
  • Hello Lee,

    The ecommerce module is in the process of moving toward it, however as mentioned before the process is very long and the requirements in ters of security very strict and this process is not yet completed.

    Greetings,
    Stanislav Velikov
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  • This is frustrating as this module has been available for over a year. This process should not take this long. 

    To everyone else tracking this conversation - what are you using for e-commerce solutions? We're always looking for solid and robust solutions for our clients.

    Cheers!
  • G'day guys,

    Request an update on PCI compliance. I'm keen to buy in and move off X-Cart - but don't wish to do so until you have PCI-DSS compliance and support for E-Way.