Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hi,
I was wondering if you can help, I am a bit worried about the whole security aspect of Sage Pay and getting the PCI DSS compliance for the Direct Payment System - does anyone know how to get this to work or if there is a way of using their inframe system although there isn't a module for this.
I've been looking to see if there are any answers out there but as am a designer rather than a developer I am struggling a bit.
Cheers.
Comments
Comment #1
Tony Sharpe CreditAttribution: Tony Sharpe commentedI use the direct payment gateway and have tested the site as PCI compliant (No critical failures). It required the hosting company to tweak a few things first to plug some holes after I tested.
Tony
Comment #2
longwaveI have also passed PCI validation tests using both 6.x-1.x and 6.x-2.x versions of this module; the tests look at your site from an external point of view and don't audit or verify the code that is actually running. Dedicated servers and VPSes with a standard, secure Linux setup and and a few configuration tweaks to Apache are sufficient to pass. Shared hosting can be a different matter, and you may partially be relying on other users on the server keeping their sites secure.
There was previous discussion of this in #538132: PCI DSS compliance for Sage pay - perhaps I should add something to the project page about it?
Comment #3
Tony Sharpe CreditAttribution: Tony Sharpe commentedJust to add that mine's on shared hosting and it's Drupal 5, Ubercart 1 using selective secure pages.
Comment #4
yetihunter1000 CreditAttribution: yetihunter1000 commentedHi again,
Thank you for replying so quickly on this and I think I will give this a go and I'm guessing that the company is on a shared hosting.
Do you think the hosting company's ssl be will sufficient enough or should I go to an external company (although they seem very expensive). The other thing is testing, can you suggest the best way to go about this ?
Apologies for the further questions but I am very green on this side of things.
Thanks again.
Comment #5
longwaveThe easiest way to find out will be to ask your hosting company whether their servers are compliant or not.
Comment #6
longwaveComment #7
yetihunter1000 CreditAttribution: yetihunter1000 commentedWill do - thanks for the information.
Comment #8
hanoiiJust entered the some key comments (mainly #2) on the project page so I am really closing this issue.