Ask HN: Is PCI compliance something that every web developer should know? - vrnut
======
efriese
If the developer writes code that handles credit card information, absolutely.
Most organizations utilize third parties to handle credit card info so they
don't have to be PCI compliant. Even then, it helps to know something about
PCI because the developer may be storing more information than needed.

In general I think every developer should receive secure coding training. Most
developers don't...

~~~
lsiunsuex
Depends on how you write the code

(generally - theres a lot of coding specifics involved) Authorize.net via
their API absolutely requires PCI compliance and an SSL certificate on your
site. Stripe recommends an SSL certificate with their basic JS code. And
unless your sending a user directly to Paypal's website to login via Paypal,
if you use their API, you should have an SSL certificate and be PCI compliant.

IE: if the CC info is entered on a page you built, on your server, yes - SSL
and PCI. If your sending the user to another site (ie: Paypal or using Stripes
JS code) - no, it's on them.

Most programmers should at least read the parts of OWASP that pertain to their
language ([https://www.owasp.org](https://www.owasp.org)). If it gets entered
into a form and stored in some sort of DB, you should at least code with basic
precautions.

------
kjs3
If you develop a site that takes payment via credit card, even when processed
by a third party processor, it's pretty irresponsible not to be familiar with
it. Even if you're only attesting to being a SAQ A merchant, you'll want to
know why. There's not that much too it, and it's really the minimum you should
be thinking about.

That said, we'd all live in a better world of every web developer knew the
OWASP recommendations inside and out. I can dream.

