So... being backend and DevOps was not enough. I am supposed alone to walk through PCI DSS compliance now.

https://pcisecuritystandards.org/do...

Undoubtedly fun, but a bit too much for one dev to do everything. But, no choice is left, so let's have the new hat of security on!

Can't just use a payment gateway with compliance?

@ScriptCoded as far as I checked, the business is required to meet 300+ security controls in PCI DSS if it is not using a payment gateway with compliance.

But if it is using a payment gateway.... it still needs to confirm 22 security controls. The whole list I provided in the beginning. It is already the shortened minimum list of requirements, the e-commerce company is required to meet if using a payment gateway with compliance.

@theKarlisK well yeah, it is sort of fun. Requirements go through my backend and devops duties. I would say security is quite good in complimenting my skill set.

And the company owner will not be able to refuse some of the things now, since they are mandatory instead of being optional.

@darkwind I have no idea what the size of your company is or what you're doing, but with stripe for example, everything's in iframes. So everything is actually off site

@theKarlisK This, I am already shivering at the thought of adapting a lot of things. Sure it's for the better, but damn always a shitton of work to implement.

@darkwind Courage to you dear fellow DevSecDataAiComplyOps person! But remember this:

* Ensure you have the authorization black on white on paper / email you are in charge of the entire project and they make available/fund you all the requirements to get it done.

* Ensure you have a waiver signed in triple (you, employer and an independent party like e.g. Bailiff/notary) stating that - despite your best efforts - you are not liable for any losses or damages the company may incurr.

* Ensure that your employer realizes that PCI/DSS is a continuous process that - once embarked on - is not easy to get off. They are in it for the long run.