Comments on: Why Open Source Drives PCI Nuts

By: Greg McGraw

Greg McGraw — Thu, 17 Jun 2010 13:25:09 +0000

From a customization standpoint, open source software is great. But, paractically speaking, there is no way to audit the software for PA-DSS for that very same reason. We continue to preach ‘outsourcing’ payment acceptance to our open source merchants exclusively to one or more certified 3rd parties which effectively takes the software out of the scope of PCI and the categorization as a payment application. Level 4 merchants should research hosted payment pages, alternative payments, etc. and not rely solely on scans to claim that they are PCI compliant or rely on the shopping cart maker to PA DSS their software, which is clearly not in their basket of expertise.

By: Shiva

Shiva — Fri, 11 Jun 2010 08:42:48 +0000

Reminds me on a similar question on custom vendor ( again it was a customized oscommerce solution ). The vendor was asked on the PCI compliance and it was well put in that the bridge may not be established between PCI and software untill the software was finalized ( up and ready for the market ). I think that is the case with most open source software… after Os software is the clay and it can moulded anyway for that matter :).

By: Evan Schuman

Evan Schuman — Fri, 11 Jun 2010 01:58:32 +0000

That’s the danger. With any kind of modification, the app vendor is no longer responsible and the duty falls directly on the merchant, just as it had been a fully homegrown app.

By: Juan David

Juan David — Fri, 11 Jun 2010 01:50:45 +0000

Hi everyone, I think that if an open source package is modified in any way, that software must be considered, automatically, a custom made application, and must comply with all requirement 6.

By: Marc

Marc — Thu, 10 Jun 2010 12:04:25 +0000

Open Source and PCI can match well together: just to mention upcoming Magento PA-DSS compliance or CRESecure solution.