Contributors mailing list archives


Re: Backend processing of credit card payment

- 22/07/2016 20:04:34

On Fri, Jul 22, 2016 at 2:23 PM, Maxime Chambreuil <> wrote:
You bring a good point here Raphael. I double-checked PCI-DSS requirements and not storing CC info is not enough.

Hello Maxime. Well were do you get this assumption from? From our own checks at Akretion we found that once the credit card number transit on your server (so without even being stored) then you should enforce the PCI-DSS requirement.

Look for instance at what Heroku is telling on the subject:
Basically many apps out there such as Spree commerce and apps that use ActiveMerchant don't store the credit card information but still don't seem to comply with the PCI-DSS. And taking the credit card information on the backend won't change anything about it I think.

Well, I'm very curious about this whole debate...

In case PCI-DSS can be worked around, then I insist, I have a POC where every gateway of ActiveMerchant can be intergarted with Odoo with less than 50 lines of code, vs may be 2500 lines of code if you don`t use ActiveMerchant and test with the same rigor.
So for instance here is the code of ActiveMerchant for Authorize:
and its main tests:

And my Odoo integration is similar to the Spree one (we just have an Adapteer for the Odoo persistence via Ooor and possibly a json REST trigger from the Odoo backoffice):

As you can see, ActiveMerchant as 420 contributors and 3300+ starts for only 27 issues. It's driven for years by Shopify which unless some ERP open source companies is absolutely real and isn't a bubble... Even with the OCA it's totally impossible we achieve such a traction on payment gateways... IMHO the OCA should focus its limited energy on the things were no open source alternative exist instead...

I found that Stripe is for instance is a suitable gateway because it's modern and allows to use session tokens for the transaction instead of your real credit card data. So no credit card information will even transit on your server once you integrate with Stripe.js. The issue is that except may be Braintree, the other gateways don't seem to have this feature. So we are forced to do the old school integration trick with return callbacks from the provider to your app once the payment is processed. This is what Odoo does, but unfortunately this is much more clumsy to integrate with less room for a library abstraction such as ActiveMerchant. I think the future is what Stripe does, but meanwhile Stripe is more expensive so we might have to eat the integration thing.

I also see may companies who simply don't consider the PCI-DSS, but doing so doesn't seem a scalable business for us at Akretion. So for instance if you buy an Odoo Enterprise on Odoo website (hey why not...), then your credit card info is sent to the Odoo server. May be Odoo SA do all the PCI-DSS compliance declaration, but frankly I doubt...
Really curious about your PCI-DSS reasoning. Regards.

Raphaël Valyi
Founder and consultant
+55 21 3942-2434