Users - Is ofbiz PCI compliant?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Users - Is ofbiz PCI compliant?

Blessing, Jeffrey J
Hey group,
 
I just received the following blurb from Ziff-Davis promoting a seminar next week and I'm wondering:  Is OFBiz PCI compliant?  Has anyone followed the Payment Card Industry compliance standards?  They site hefty fines for those who don't comply with these standards.
 
"It can often be confusing and difficult for organizations to undertake the process of finding out if they are compliant with the Payment Card Industry (PCI) standard, and if they are not compliant, identifying what specific and practical steps they must take to meet the security guidelines. With fines of up to $500,000 being imposed and restrictions being put in place by card companies for organizations who have not yet achieved PCI compliance, merchants have a pressing need to complete their data security efforts around this standard."
 
Just wondering,
-Jeff
 

 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Users - Is ofbiz PCI compliant?

BJ Freeman
I have not found a comprehensive list of requirements.  If you have a
link to such requirements, would appreciate it.

Ofbiz does encrypt the CC number.
Further steps are more in the installation of ofbiz, so the data is not
avalible from the internet, such as putting ofbiz on the router so it
can access the db on a private network, not accessible from the Internet.


Blessing, Jeffrey J sent the following on 6/4/06 9:28 AM:

> Hey group,
>  
> I just received the following blurb from Ziff-Davis promoting a seminar next week and I'm wondering:  Is OFBiz PCI compliant?  Has anyone followed the Payment Card Industry compliance standards?  They site hefty fines for those who don't comply with these standards.
>  
> "It can often be confusing and difficult for organizations to undertake the process of finding out if they are compliant with the Payment Card Industry (PCI) standard, and if they are not compliant, identifying what specific and practical steps they must take to meet the security guidelines. With fines of up to $500,000 being imposed and restrictions being put in place by card companies for organizations who have not yet achieved PCI compliance, merchants have a pressing need to complete their data security efforts around this standard."
>  
> Just wondering,
> -Jeff
>  
>
>
>
> ------------------------------------------------------------------------
>
>  
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Users - Is ofbiz PCI compliant?

Blessing, Jeffrey J
The best link I've found that describes what PCI compliance is comes from Visa.com:
 
http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html
 
It appears that PCI compliance is a big (and growing) industry in itself.  Most searches turn up companies that offer PCI compliance services (hence the seminar notice earlier :-)
 
-Jeff

________________________________

From: [hidden email] on behalf of BJ Freeman
Sent: Sun 6/4/2006 11:35 AM
To: OFBiz Users / Usage Discussion
Subject: Re: [OFBiz] Users - Is ofbiz PCI compliant?



I have not found a comprehensive list of requirements.  If you have a
link to such requirements, would appreciate it.

Ofbiz does encrypt the CC number.
Further steps are more in the installation of ofbiz, so the data is not
avalible from the internet, such as putting ofbiz on the router so it
can access the db on a private network, not accessible from the Internet.


Blessing, Jeffrey J sent the following on 6/4/06 9:28 AM:

> Hey group,
>
> I just received the following blurb from Ziff-Davis promoting a seminar next week and I'm wondering:  Is OFBiz PCI compliant?  Has anyone followed the Payment Card Industry compliance standards?  They site hefty fines for those who don't comply with these standards.
>
> "It can often be confusing and difficult for organizations to undertake the process of finding out if they are compliant with the Payment Card Industry (PCI) standard, and if they are not compliant, identifying what specific and practical steps they must take to meet the security guidelines. With fines of up to $500,000 being imposed and restrictions being put in place by card companies for organizations who have not yet achieved PCI compliance, merchants have a pressing need to complete their data security efforts around this standard."
>
> Just wondering,
> -Jeff
>
>
>
>
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users



 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users

winmail.dat (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Users - Is ofbiz PCI compliant?

BJ Freeman
been a while since I visited their site. it has been updated.
I scanned the cisp_PCI_Self_Assessment_Questionnaire.doc from
http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_tools_faq.html]
my opion is that ofbiz does as software does comply.
However most of the document has todo with what I mentioned before,
installation of ofbiz.
That is the responsibility of the person installing and maintaining ofbiz.


Blessing, Jeffrey J sent the following on 6/4/06 10:15 AM:

> The best link I've found that describes what PCI compliance is comes from Visa.com:
>  
> http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html
>  
> It appears that PCI compliance is a big (and growing) industry in itself.  Most searches turn up companies that offer PCI compliance services (hence the seminar notice earlier :-)
>  
> -Jeff
>
> ________________________________
>
> From: [hidden email] on behalf of BJ Freeman
> Sent: Sun 6/4/2006 11:35 AM
> To: OFBiz Users / Usage Discussion
> Subject: Re: [OFBiz] Users - Is ofbiz PCI compliant?
>
>
>
> I have not found a comprehensive list of requirements.  If you have a
> link to such requirements, would appreciate it.
>
> Ofbiz does encrypt the CC number.
> Further steps are more in the installation of ofbiz, so the data is not
> avalible from the internet, such as putting ofbiz on the router so it
> can access the db on a private network, not accessible from the Internet.
>
>
> Blessing, Jeffrey J sent the following on 6/4/06 9:28 AM:
>
>>Hey group,
>>
>>I just received the following blurb from Ziff-Davis promoting a seminar next week and I'm wondering:  Is OFBiz PCI compliant?  Has anyone followed the Payment Card Industry compliance standards?  They site hefty fines for those who don't comply with these standards.
>>
>>"It can often be confusing and difficult for organizations to undertake the process of finding out if they are compliant with the Payment Card Industry (PCI) standard, and if they are not compliant, identifying what specific and practical steps they must take to meet the security guidelines. With fines of up to $500,000 being imposed and restrictions being put in place by card companies for organizations who have not yet achieved PCI compliance, merchants have a pressing need to complete their data security efforts around this standard."
>>
>>Just wondering,
>>-Jeff
>>
>>
>>
>>
>>------------------------------------------------------------------------
>>
>>
>>_______________________________________________
>>Users mailing list
>>[hidden email]
>>http://lists.ofbiz.org/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
>
>
>
>
> ------------------------------------------------------------------------
>
>  
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Users - Is ofbiz PCI compliant?

David E. Jones
In reply to this post by Blessing, Jeffrey J

The PCI requirements are for a company, and not for a system per-se.

In other words it is not correct to say that "OFBiz is PCI Compliant", but it is a correct to say that an organization properly implementing OFBiz and following the requirements over time will be PCI compliant.

For more information on this you might want to search the mailing list history as there was a pretty good discussion of this a little while back.

-David


Blessing, Jeffrey J wrote:

> The best link I've found that describes what PCI compliance is comes from Visa.com:
>  
> http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html
>  
> It appears that PCI compliance is a big (and growing) industry in itself.  Most searches turn up companies that offer PCI compliance services (hence the seminar notice earlier :-)
>  
> -Jeff
>
> ________________________________
>
> From: [hidden email] on behalf of BJ Freeman
> Sent: Sun 6/4/2006 11:35 AM
> To: OFBiz Users / Usage Discussion
> Subject: Re: [OFBiz] Users - Is ofbiz PCI compliant?
>
>
>
> I have not found a comprehensive list of requirements.  If you have a
> link to such requirements, would appreciate it.
>
> Ofbiz does encrypt the CC number.
> Further steps are more in the installation of ofbiz, so the data is not
> avalible from the internet, such as putting ofbiz on the router so it
> can access the db on a private network, not accessible from the Internet.
>
>
> Blessing, Jeffrey J sent the following on 6/4/06 9:28 AM:
>> Hey group,
>>
>> I just received the following blurb from Ziff-Davis promoting a seminar next week and I'm wondering:  Is OFBiz PCI compliant?  Has anyone followed the Payment Card Industry compliance standards?  They site hefty fines for those who don't comply with these standards.
>>
>> "It can often be confusing and difficult for organizations to undertake the process of finding out if they are compliant with the Payment Card Industry (PCI) standard, and if they are not compliant, identifying what specific and practical steps they must take to meet the security guidelines. With fines of up to $500,000 being imposed and restrictions being put in place by card companies for organizations who have not yet achieved PCI compliance, merchants have a pressing need to complete their data security efforts around this standard."
>>
>> Just wondering,
>> -Jeff
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> Users mailing list
>> [hidden email]
>> http://lists.ofbiz.org/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
>
>
>
>
> ------------------------------------------------------------------------
>
>  
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.ofbiz.org/mailman/listinfo/users
 
_______________________________________________
Users mailing list
[hidden email]
http://lists.ofbiz.org/mailman/listinfo/users