New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Payum and PCI DSS Compliance #78
Comments
@mtudor I agree on that fact that card details should not be stored for any time even temporally somewhere. That's why I am telling filesystem is not good. It saves all the info In symfony2 world I solve this problem using |
I need to look into it a bit more I think, but we do have "forward" in Zend Framework too so it should be possible to do something similar. You'd still use the SecuredCaptureController then? |
@mtudor I thing zend2 has something like forward in symfony. Here's the link where you can get more about symfony's forward: http://bluehorn.co.nz/2009/08/29/symfony-redirect-vs-forward/. So there is two way to go:
|
from sandbox: <?php
return $this->forward('PayumBundle:Capture:do', array(
'payum_token' => $captureToken,
));
// vs redirect
return $this->redirect($captureToken->getTargetUrl()); both variant work fine for symfony bundle though I think zend module should be tweaked to support forward |
yes |
What was the reason for originally introducing the SecuredCaptureController instead of the standard CaptureController? |
There are several reasons
|
What about introduce <?php
$value = new SensativeValue('1111222233334444');
echo $value->get();
// 1111222233334444
echo serialize($value);
// empty string
echo $value;
// empty string so whenever you try to serialize it or cast to string you get nothing. Of course you still have to use something like forward to porcess everything in one call. |
A The main issue I was having is that with the redirect method that data HAS to be persisted somehow, and that will break PCI DSS compliance requirements. Hopefully forward may solve that. |
@mtudor I did some progress in the referenced PR. Could you review? |
I managed to get forward working (by actually changing code in my controller before I pass over to PayumModule)...
So far, I've actually found that I don't have to store the capture token, or the payment details, anywhere... The done token needs storing as once the payment is complete I do a full redirect (to lower the chances of the user hitting refresh and having issues - although double payments will be prevented by the "is new payment" check done before processing. How does that all sound? I'll update further as I get more of the implementation completed. |
Quick question on the HttpRequestVerifier... You added in a check to make sure that the URL set in the token is the same as the URL at which the token is used. What protection is this intended to offer? |
There are could exist not only capture tokens but sync\void\refund and so on. This url protection allows to expose them to user and dont worry that the user would try to miss use them. Other words you cannot use sync token to void or refund payments. Make sense? |
Sounds good to me. |
Ah yes, I hadn't considered the other card actions. Thanks! |
Hi @makasim,
We're still working through a Payum implementation here and are now looking at the finer points of PCI DSS. Does PCI DSS apply in the Ukraine? It certainly does over here. One of the guidelines is that we're not allowed to store card details for any length of time, or we'll be elevated to the highest level of self assessment questionnaire to gain compliance.
The SecuredCaptureRequest relies on storing all of the card information across a redirect (from what I can see). Even though this is only done for a very small amount of time, the PCI DSS requirements are pretty black and white. Even encryption does not help here!
My question is twofold:
Cheers,
Mark.
The text was updated successfully, but these errors were encountered: