Thread

Greetings!

I’m busy upgrading an old EE 1.5.2 website to the new and oh so shiny EE 2.1.  I wanted to probe the EE community hive mind a bit about PCI compliance.

Part of the upgrade process is a change from using a Authorize.net for CC transactions to a different gateway/payment processor. The old site isn’t PCI compliant - it failed the tests in various ways. Authorize.net doesn’t seem to care about PCI compliance (and when I wrote the custom extension for it I hadn’t even heard of PCI compliance).  The new one requires it.  For budget reasons the client decided to wait on the gateway switch and PCI compliance until the new EE2 site vs. spending the time/money to get our EE1 installation compliant.

Does anyone have any experience with PCI compliance and EE(2)?  Are there things I can do during development that will help me down the road when we start to implement our payment stuff?

More specifically I’m going to be using NSM .htaccess generator and mod_rewrite (and Structure) for pretty URLs.  I mention that because URL rewriting seemed to be an issue for compliance with our EE1 site. 

Any thoughts, dos, don’ts, or even just stories of your experience getting EE2 PCI compliant?  Thanks in advance for any help!

The guys at Cartthrob have a good rundown on the subject on their site: http://cartthrob.com/docs/pages/pci_dss_compliance/

Well I understand what PCI compliance is even though I don’t have much experience with it.  I’ve done my research there.  What I was hoping for was something more rubber-meets-the-road.  Something like, “I’ve set up a few different PCI compliant EE sites, and these are the problems I ran into, and our solutions.”

The old site we decided not to try to get up to speed was failing multiple portions of the gateway company’s PCI compliance testing.  For example not all 404s actually return 404 messages (a problem with EE in general).  How do you get around that?  There were issues with our use of mod_rewrite in some cases - what is and isn’t allowed with mod_rewrite and PCI compliance? The list goes on, was very opaque, and the support from the company seemed very limited to help resolve the problems (other than to run the test again).

Can’t really help you with specifics about PCI compliance but this might help with your 404 problems: http://joviawebstudio.com/blog/guide_to_404_pages_with_expressionengine/

Thanks Tyssen - that 404 page is really good.  I learned a few things there I will definitely implement.

No one with experience with PCI compliance?

Hi Brian, I know I’m picking up this thread a year down the line but just wanted to know if you created a pci compliant EE2 site in the end.

If so, what problems did you hit?

I’m looking at doing a similar project and your feedback would be helpful.

The EE2 migration ate up the budget and the client has so far held off on moving to the new gateway that required PCI compliance.  So EE2 is in place, still no idea about PCI compliance unfortunately.

Very curious myself actually!  Sorry I can’t be more help.

Thanks Brian, I will let you know how I get along.