Jon Stahl's Journal

Syndicate content
Politics, the environment, technology, activism. And stuff.
Updated: 28 min 49 sec ago

links for 2008-11-19

20 hours 58 min ago
Categories: Blogs

Musings on ecommerce and PCI compliance for nonprofits

Tue, 11/18/2008 - 21:36

I’ve been doing some thinking and planning about how to build some better online donation tools for small to midsize nonprofits.  In the process of doing some of that background research, I’ve come across what I think is a pretty big latent risk to lots of nonprofits (and small businesses) that are doing online transactions.

It has an acronym: PCI, or PCI-DSS.  It’s the set of security standards put in place by the credit card industry over the past few years, in attempt to limit the risk of catastrophic data security breaches that cause criminals to get their hands on credit card information of innocent folks.

What PCI says in a nutshell is this: if your computer systems store, process or transmit credit card information, then there are various security processes and safeguards that you MUST have in place, you must verify that you have these measures in place, and you must submit to periodic testing to make sure you have them in place.

The companies that issue merchant accounts are responsible for verifying the compliance of their small customers.  The self-assessment form for the most common scenarios runs to 40 pages, and you have to be able to answer “YES” to every question in order to pass.

Why is this a problem?  Well, obviously the intention here is good.  Credit card data security is an incredibly important issue.

But there are a ton of nonprofits and others that operate small ecommerce sites using off-the-shelf ecommerce software such as ZenCart or Magento, or extensions to popular open-source CMSes such as Joomla, Drupal or Plone.  These systems, properly configured are quite secure (especially Plone!), and in truth, they are generally not storing or processing credit card data, merely instantaneously retransmitting it to an ecommerce payment gateway such as Authorize.net.

Still, since these systems are “transmiting” credit card data, they clearly fall under the scope of PCI and those systems therefore must be PCI compliant under the rules.  Failure to do this can expose an organization to fines, higher rates from their merchant account provider, or simply being cut off from the credit card system.  Not good.

So, with that setup, here are some questions/observations:

  • I wonder how many small to midsized organizations there are out there that have the technical chops to make it through the 40-page self-assessment.  Probably not too many.

  • What percentage of small merchants are actually achieving PCI compliance?

  • How many small merchants are actually being required by their credit card providers to demonstrate PCI compliance? Is anybody being sanctioned?

  • Are nonprofits who take credit cards offline or via virtual terminals being forced to achieve compliance, too?  (In theory they should be.)

  • Shouldn’t open-source ecommerce developers be paying a bit more attention to this?  I think a lot of them are setting up their users for trouble, by making it easy to set up systems that expose not-very-sophisticated users to these complex requirements.  I suspect there’s a lot of misunderstanding out there.

Categories: Blogs

links for 2008-11-18

Tue, 11/18/2008 - 17:30
Categories: Blogs

links for 2008-11-14

Fri, 11/14/2008 - 17:30
Categories: Blogs

I am the only one who finds Change.gov disappointing

Wed, 11/12/2008 - 09:12

I’m really surprised by the adulation that the Obama transition team’s website, Change.gov, has gotten.  To me, it looks like a pretty design (all of Obama’s design work has been really excellent!), and a few web forms that dump your information into a black hole, never to be seen again (so far).  This is what “listening” looks like?

I applaud the speed with which they’ve gotten the site up, and I suppose I appreciate the symbolism of the gesture.  But unless they actually build some sort of actual conversation on top of this, or somehow reflect back what they’re hearing (”active listening” anyone?) I’m not going to be very impressed.

Categories: Blogs

Great glimpse behind the scenes of the campaigns

Sat, 11/08/2008 - 17:35

Newsweek offers convincing evidence that “mainstream media” is still possible and relevant with a fantastic, in-depth look behind the scenes of an epic election campaign.  Their web presentation is a bit choppy, but here are quick links to the seven in-depth chapters.  Well worth a read.

Categories: Blogs

World Plone Day Seattle - A Huge Success

Sat, 11/08/2008 - 15:08

The team here at ONE/Northwest hosted Seattle’s World Plone Day event last night, part of a coordinated worldwide Plone “day of outreach” that reached over 22 countries.

Here in Seattle, we had a capacity crowd of about 40 folks, with a great mix of experienced Plone hands, Plone beginners and the “just curious.”  I gave a short “overview of Plone” talk, based heavily on the great slide deck that Constance Wilde put together for WPD, and my colleague Sam Knox did a short “basic training” for end-users.  We finished up with some Q&A, which was an interesting mix of really specific technical questions and general questions about features and capbilities.

All in all, a great event with a lot of positive energy.  Thanks to the entire global World Plone Day team for their tremendous organizing and cat-herding, as well as to the Seattle Plone community!

Categories: Blogs

links for 2008-11-07

Fri, 11/07/2008 - 17:30
Categories: Blogs

Happy World Plone Day!

Fri, 11/07/2008 - 15:40

Today is World Plone Day, a global “day of outreach” for the Plone open-source CMS community.  In a few hours, we’ll be hosting 40+ folks here at ONE/Northwest HQ in Seattle, just one of the dozens of World Plone Day events taking place in over 22 countries around the world.

It’s been a pretty amazing global effort, thanks to some great work from Robert Allende, Gerry Kirk, Constance Wilde, Tim Knapp and many others.  And, judging from the IRC messages, Twitter posts, and live video streams, the various workshops have been well attended, enthusiastic and full of great Plone energy.

I’m really excited to close out the day in style here in Seattle!

Categories: Blogs

links for 2008-10-31

Fri, 10/31/2008 - 17:30
Categories: Blogs

links for 2008-10-30

Thu, 10/30/2008 - 17:30
Categories: Blogs

Ballard and Fremont in the New York Times

Thu, 10/30/2008 - 16:57

Ballard (and our neighbors in Fremont) get the in-depth treatment from the New York Times travel section.  Very cool to see a photo of Ballard farmer’s market on the homepage of the Gray Lady!

Categories: Blogs

links for 2008-10-29

Wed, 10/29/2008 - 17:30
Categories: Blogs

Plone Code Swarm

Tue, 10/28/2008 - 23:19

Chris “cbcunc” Calloway has put together two great video visualizations of Plone’s community activity over the past eight (!) years.

Check out:

Plone core code swarm — a visual representation of the evolution of the Plone core from 2001 to 2008.

Plone collective code swarm — same idea, only this time it analyzes the universe of Plone add-on products

It’s really amazing to see the fireworks that surround major code checkins, and to see the moment in time when legendary Plone contributors like Martin “optilude” Aspeli and Hanno “hannosch” Schlichting (just to name two) first appeared on the scene. 

(Eagle-eyed viewers will spot my name flicker around the edges of the Collective from 2006 onward.)


Plone Code Swarm from Chris Calloway on Vimeo.

Categories: Blogs

links for 2008-10-27

Mon, 10/27/2008 - 17:30
Categories: Blogs

links for 2008-10-26

Sun, 10/26/2008 - 17:30
Categories: Blogs

links for 2008-10-24

Fri, 10/24/2008 - 17:30
Categories: Blogs

links for 2008-10-23

Thu, 10/23/2008 - 17:30
Categories: Blogs

Socialst? Not.

Sat, 10/18/2008 - 18:24

Obama’s no socialist, but McCain and Palin are acting more and more like fascist demagogues all the time.  I’ll be glad when this election ends in a blowout that sends them both scampering back to their caves with the last remanants of the revanchist right.

Categories: Blogs