They are good!

  • I am a PCI DSS QSA and while working for a client I have decided on verifying few aspects of Payment Card Industry requirements in respect of Jigoshop software.

    First I was talking to a guy at the reception who told me enough to know that they are PCI DSS “aware”, then I was transferred to security “expert” – first of all it wasn’t a matter of trying to get rid of me asap, he was genuinely interested in what I have got to say and why. After a while he has put me on hold and after a while I have heard “Hi, my name is XXX and I’m a managing director of Jigoshop Ltd. I have just learned that apparently there are some potential security issues with our software. I would like to be involved in this conversation, if you don’t mind” !!!

    Ok, I though at first: sales person, what a great help… so my response was:
    “The reason for a phone call is to clarify some technical aspects your software, I’m not sure how you can help.”

    In response I have heard “I’m a Cisco and Red Hat Certified engineer with a current Security Clearance Level 5 in the UK. My experience goes beyond PCI DSS QSA requirements, but to maintain certain distance from what we do on a daily basis I have made a conscious decision not to become one. I hope, I will be able to help.”

    Ok.. that was rather direct, but so was my comment.

    After about half an hour on the phone I have not only found answers to my questions but also I have learned something – attention to detail is certainly not something that is being neglected at Jigoshop and Proxar.

    I wish all the companies that I have to liaise with could present that level of expertise in security.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Jigoshop Support – Paul

    (@paulpreston)

    It’s almost midnight in London… I have received an email with a subject line “look at this comment on wordpress”… I wasn’t sure what to expect, but certainly I wasn’t ready for this.

    In my opinion two things are important in a small/medium business: quality of services and reputation. I will definitely remember this comment and our phone conversation.

    Please don’t hesitate to contact us if you have any further questions.

    Best Regards,
    Paul Preston

    Hi,

    I have just found this post on google. Can you please send me more info about your security policies? I need to know of development processes, QA processes and Security measures. How do you check integrity of the code? Which (PCI DSS) hosting company do you recommend?

    Plugin Author Jigoshop Support – Paul

    (@paulpreston)

    Hi NortonAsp,

    Hence I’m a director and majority shareholder of Proxar Ltd it would be inappropriate for me to recommend a hosting company.

    I have been made aware of your recent comments on our competitor’s wordpress page and therefore I would rather prefer to answer your questions offline. However, I would like to bring to your attention the fact that your comments are not accurate. When going through assessment process, every merchant should verify that eCommerce software has been assessed in respect of PA DSS. Please find the link below:
    https://www.pcisecuritystandards.org/documents/pa-dss_v2.pdf

    In turn, you are right by saying that there is a chain of dependencies, but a software provider doesn’t have to be compliant with PCI DSS SAQ D. If the same software provider will decide to sell their products online (effectively, he will be a merchant)… that is of course another matter.

    Responsibility of a merchant is to make sure that “off the shelf” software was assessed in respect of PA DSS only.

    I have confirmed this information with a friend of mine, a senior PCI DSS QSA – I will have to pay for that information.. Luckily the payment will be in a form of a pint in a pub in half an hour so I look forward to it! ??

    Hope this helps. Please feel free to send us specific questions to [email protected]

    If you would like us to setup some time for a conference call please suggest it in your email.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘They are good!’ is closed to new replies.