DrupalSecurityTeam / drupalpcicompliance

Official github repo for the Drupal PCI compliance white paper.
http://drupalpcicompliance.org
Other
55 stars 15 forks source link

Do not hide issues around PCI PA-DSS #35

Open damz opened 10 years ago

damz commented 10 years ago

The current version of the document tip-toes around PCI PA-DSS by saying:

Note: This paper specifically excludes PA-DSS because Drupal is Open Source Software and (whether right or wrong) falls outside the PA-DSS standard.

As I explained before, there is nothing that I know of in the PCI PA-DSS standard that would exclude Open Source Software from the scope of standard.

The "Payment application" (i.e. what generates the payment form, receives and processes the credit card information) is only excluded from the standard if it is "developed for and sold to a single customer for the sole use of that customer" or "developed by merchants and service providers if used only in-house".

While it probably doesn't matter that much given the payment network unwillingness to enforce the standard, it would be good to clarify that things have the potential to get very messy here.

Or maybe you have more information than I do, in that case it would be good to add more sources here.

rickmanelius commented 10 years ago

Hi @damz. Tagging this for consideration of 1.3 (I'm currently focusing on getting 1.2 out the door and will address after that).

greggles commented 2 years ago

Has there been any progress on this topic in the world since the issue was filed?

greggles commented 2 years ago

If it's a murky situation I'm ok with the document saying that, FWIW. If someone can propose text, especially with a reference footnote, it would be likely to get merged.