Open Source PCI Compliance
September 7th, 2007 Posted in Compliance, Payment Applications
Brian wrote in to ask about issues revolving around the use of open source products when evaluating PCI compliance. Can you be compliant if you use open source platforms and tools? If a review of your software is required, who will perform it? Do assessors understand open source platforms enough to evaluate PCI compliance?
The answer to these questions and more is that the waters are uncharted on this topic. The use of open source tools does not currently preclude a company from achieving PCI compliance.  Platforms such as Linux and BSD are commonly used by major corporations and regularly evaluated by assessors.  The question of compliance really comes into play when you start talking about tools, specifically payment applications, such as osCommerce.Â
Currently, PCI DSS compliance does not require merchants to use validated payment applications (it only helps out considerably to do so.) But one could imagine in the future that the standard could require the use of 3rd party validated applications, in which case who will evaluate open source payment apps? Maybe there is an qualified assessor out there willing to do some pro bono applications reviews to help out the open source community.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
7 Responses to “Open Source PCI Compliance”
By Damian Hickey on Sep 9, 2007
Just so you know, we are proceeding with PCI certification for Freeway, the Open Source eCommerce platform.
It will be completed in this calendar year.
Damian Hickey
CEO ZacWare
http://www.zac-ware.com
By Michael Dahn on Sep 10, 2007
Damian, great job! Are you paying for it or is the QSA donating their time in the name of the open source community?
By Damian Hickey on Sep 10, 2007
We would love it if someone would sponsor it but at present we are doing it because we see it as a good way to help us make a more enduring eCommerce platform.
Cheers,
Damian
By Michael Dahn on Sep 10, 2007
Damian, this is such a great (and strategic) move you are making. I commend you and your team for making the move on this! You should do a press release.
By Damian Hickey on Sep 10, 2007
Yes, we are in the process of arranging Beta testers and the extent of the works we are going to undertake. We are heavily leaning towards a proactive security monitoring tool with alerting.
Cheers,
Damian
By Brian on Sep 27, 2007
Two examples I have in mind for firewalls: Vyatta and iptables.
Vyatta is a drop-in software appliance that is free and they have a supported version. It’s basically an iptables wrapper on linux (I believe) with some administrative tools. I don’t see why it *wouldn’t* qualify but what if you don’t pay for support and only obtain community updates?
The second is using a dedicated linux box with iptables. There’s no “vendor update” beyond the original linux distribution (which, let’s say could be an unsupported version like CentOS or the “legit” RHEL). So long as the rules are correct, does this qualify?
I suppose part of my confusion on the matter is the relevance/requirement for vendor support in the form of updates and whether or not the core functionality will suffice.
My belief is that the open source software, so long as functionally sufficient is perfectly OK, but finding an auditor who understands anything other than mega-dollar installs from big companies are going to be semi-clueless. “It’s not shrink-wrapped!” Thus, leading to higher costs and hassle for the small merchant.
I realize there isn’t much work in this space because there isn’t much upside for the software vendors but I have to think that some remediation company could be making a killing on selling “open source PCI in a box” to the thousands of small merchants out there. I’m contemplating writing a howto/book after we finish our efforts.
By Damian Hickey on Nov 15, 2007
Hi,
I just thought I should update you with some info about how we are responding to PABP. Please take a look there: http://www.openfreeway.org/community/blogs/
Cheers,
Damian