Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...PABP-support in DNNPABP-support in DNN
Previous
 
Next
New Post
6/1/2009 9:04 AM
 
bcorngtr

Joined: 5/12/2009
Posts: 4

I am very interested in learning DNN's roadmap to support PABP in the framework.  My current understandling is that VISA will beginning denying transactions that are delivered to VISA that do not meet PABP compliance as early as October of 2009.  This poses a serious issue to some 3rd party storefront components that rely on the DNN framework (in particular ASPDOTNETStoreFront).  Any information on direction and timelines would be most appreciated!

Thanks!

Brian Corn
 
New Post
6/1/2009 12:58 PM
 
Joe Brinkman


Joe Brinkman's Avatar

blog.theaccidentalgeek.com
Joined: 5/18/2003
Posts: 2356

So can you point me to an issue where DNN is not PABP compliant?  The largest issues for compliance revolve around logging and password management which we have fully supported for a long time.  The second set of issues for PABP compliance are how the application handles sensitive customer data like the credit card number and the CCV code.  Since those items are handled by the ecommerce module and not DotNetNuke that is not something we have control over.

The bottom line is that unless someone can point at a specific feature we are lacking, there is not really anything for us to do.

Joe Brinkman
DNN Corp.
 
New Post
6/1/2009 3:13 PM
 
Swanzey Internet Group LLC


www.swanzey.com
Joined: 9/10/2003
Posts: 454

ASPDNSF made an interesting comment over a year ago here http://forums.aspdotnetstorefront.com/showthread.php?t=9982&highlight=pabp, but more recently, may have modified their opinion here http://forums.aspdotnetstorefront.com/showthread.php?t=13557&highlight=pabp

Eric Swanzey
www.swanzey.com
 
New Post
6/1/2009 3:59 PM
 
bcorngtr

Joined: 5/12/2009
Posts: 4

Joe,

Thanks for the quick response.  My concern is that I have a new client that will be leveraging the DNN framework for their new web site which is centered around their online store.  This store will be built using the DNN version of the ASPDOTNETStoreFront product.  On the ASPDNSF web site, the fact that the DNN version of this software is NOT PABP/PCI-DSS compliant is very clearly stated (digging deeper uncovers this is due to the DNN framework not the ASPDNSF product itself).  My understanding is that becoming compliant requires some sort of certification or assessment process via the PCI Security Standards Council itself, regardless of the functional requirements of the actual software.  ASPDNSF claims that their DNN storefront module cannot be considered compliant until the DNN framework itself is certified compliant.  I'm afraid my client (and probably others as well) will be trapped in the middle on this one - with a deadline of October 2009 looming near.  Has DNN been approached by anyone at ASPDNSF regarding this issue and the desire for PABP/PCI-DSS compliance?

Thanks!

Brian
 
New Post
6/2/2009 10:38 AM
 
Brandon Haynes Haynes


brandonhaynes.org
Joined: 2/6/2006
Posts: 1172

Hi Brian,

This is an issue larger than DotNetNuke (which you will have noticed if you happened to catch the congressional hearings on PCI last month).  Indeed, there exist (by my count) only THREE PA-DSS-compliant shopping cart applications on the PCI list (although, granted, such listing is sufficient but not necessary for PA-DSS compliance -- you do not have to be listed to be compliant).

Some additional meandering thoughts:

* PA-DSS auditing often requires a six-figure expenditure.  You are likely to see NO free, open-source options CMS engaging in this process, especially when those platforms do not offer e-commerce as a core, primary feature.  I do not believe that any are currently engaged in validation.

* There is a bit of a chicken-and-egg affair going on.  DotNetNuke does not itself engage in any PCI-DSS or PA-DSS activities.  There is no incentive for it to consider the validation process, except perhaps for the philanthropic benefit of commercial third parties (who themselves would make a lot of money off of this).  Economically, this implies that the benefiting party (e.g., ASPDNF) should be the one to incur the high costs associated with PA-DSS validation.   

* ASPDNSF must justify any non-PA-DSS software that it itself consumes, and in this case this means DotNetNuke.  This complicates their validation strategy.

* Ironically, DotNetNuke can be fully PCI-DSS compliant and could be PA-DSS compliant (I recently dealt with the last issue of which I am aware, §11.1, dealing with multi-factor authentication).  It is merely missing a custom security distribution and the validation process itself, for which it has little incentive.

* Out of the box, however, DotNetNuke is neither PCI-DSS nor PA-DSS complaint; its default security configuration is insufficient for this.  Modification to its configuration may obviate PA-DSS and trigger Level-1 PCI-DSS compliance for your customer; DotNetNuke is HIGHLY compatible with this process.

* I suspect that ASPDNSF's equivocation about DotNetNuke PA-DSS is a red herring to distract from its own internal validation; here the VAST majority of compliance issues will relate to its own software, and very little will apply directly to DotNetNuke.  The few details about the specific PA-DSS issues with which ASPDNSF is struggling serves to increase this suspicion.  If it really wanted to, ASPDNSF could likely avoid DotNetNuke dependencies for PA-DSS-specific tasks.

Ultimately, the relationship between open-source and PCI is dynamic and antagonistic.  There are many, many, many non-compliant sites out there that will require radical adjustment to reach compliance.  No one knows what will happen here.  I certainly do not.

Brandon

 

Brandon Haynes
BrandonHaynes.org
 
 Page 1 of 3
123Next 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...PABP-support in DNNPABP-support in DNN


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out