Recently it was brought to my attention that sites (companies of sites) that handle the selling of goods, services, subscriptions, etc.. involving payment processing must be PCI compliant.

What experience have you had with being PCI compliant?
With Dynamic Forms I have linked many a form to PayPal for payment processing and never had a worry with PCI compliance as no payment information is being collected.

It has recently been brought to my attention that is about to change. I am told (not 1st hand) that US based companies that sell anything online, regardless of whether they handle payment details or pass the user to a payment processor and never receive sensitive payment information, MUST be PCI compliant.

Really? Wouldn't be the first time bureaucrats made a complete mess of it all but this seems genuinely hard to believe.

What is your experience and how do you stay PCI compliant with Dynamic Forms or DNN subscription features?

I'm hardly an expert.

I took a quick look at http://www.pcicomplianceguide.org/pcifaqs.php.

Here is one item:

Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

There is lots of other information there.

Correct Joe, I'm curious when that article was authored as there are a lot of people ranting about new regulations this year. (Interestingly PCI compliance is not a regulation, but a standard imposed by the major card companies.)

In the Q&A sited above it states basically any cardholder data; further down the page on the site referenced above it defines cardholder data:

Q: What is defined as ‘cardholder data’?
A: Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, social security number, etc. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data.

This presents an interesting point - most forms store 'who' filled the form out and passes that information to PayPal and according to this definition of cardholder data falls under the PCI compliance definition.

PayPal does offer a PayFlow service to better assist with managing PCI compliance but it appears all organizations with public facing access (websites IP's, etc.) that meet the cardholder definition, must undergo security scans, self evaluation surveys, etc..

Considering the duration of time DNN has incorporated PayPal (and other payment processors) this seems like a significant area of contention that the community would have addressed but more importantly the commercial customers would be required to do especially with user registration, etc..

Dan,

It might be interesting to see if someone at PayPal is able to answer these questions ...

I was researching PCI compliance on the PayPal site and found this informational page.
https://merchant.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=merchant/pci_compliant_solution

I am planning to call their number and ask questions but I am suspect that getting straight answers vs. being sold a service/product could be challenging.
I have a local customer that is constantly faced with PCI compliance audits and will seek their experiences as well from a real world point of view.

Robb Bryn has a blog at www.dotnetnukefool.com/Blog.aspx that includes a nice three part series on PCI Compliance and DotNetNuke.

This is a really good article and if correct (and I believe it is), as a host or admin, etc.. it is 'my' responsibility to be compliant.

Does it appear PCI compliance is only necessary if I collect credit card information or social security numbers?

NO - even if you're passing a form user's name and address to a payment processor you ARE collecting cardholder information and you should be PCI compliant.

Are you going to get audited? Who knows but that article is extremely helpful in getting it setup and how to manage the process of getting compliant.

Again, if you think (like I did) that because you're not collecting credit card data, but passing it to a processor from a form, you are using way too much common sense and should check with a fickle auditor that thought the IRS was too relaxed and wanted a real challenge like PCI or SOX compliance... (lol).

Good news is the best DNN hosting data centers already meet these challenges and DNN is built to support compliance measures you must take.

Best of luck to everyone.

Robb Bryn and other stellar members of the DotNetNuke community will be speaking at what appears to be one of the very best DotNetNuke meetings ever -- the Day of DotNetNuke on June 2 in Charlotte, NC.

If you can get to Charlotte, you'll have a great day of learning!

Paypal have payflow link that makes easier for people to PCI standards . It offers checkout page template.This solution delivers two key advantages. Your customers never leave your site, giving them a seamless checkout experience. And since PayPal is PCI-compliant, your task of meeting these standards is a good deal simpler.

Hi All

this is sameer using DNN 6.2.2 in which i have to integrate the Online Payment for Doantion for one of my client's NGO website.

is there any free module available for this

or any other best payment module available in DNN for quick payment.

i have tried paypal also but there integration process is very lengthy.

please help me.

Be sure to read Robb Bryn's blog about PCI compliance.

For simple donations, visit the Paypal site and look for information on adding a "donate" button to your site. Note that Paypal does charge a processing fee for contributions.

ok thanks for this