Ask HN: Is PCI compliance something that every web developer should know?
If the developer writes code that handles credit card information, absolutely. Most organizations utilize third parties to handle credit card info so they don't have to be PCI compliant. Even then, it helps to know something about PCI because the developer may be storing more information than needed.
In general I think every developer should receive secure coding training. Most developers don't...
Depends on how you write the code
(generally - theres a lot of coding specifics involved) Authorize.net via their API absolutely requires PCI compliance and an SSL certificate on your site. Stripe recommends an SSL certificate with their basic JS code. And unless your sending a user directly to Paypal's website to login via Paypal, if you use their API, you should have an SSL certificate and be PCI compliant.
IE: if the CC info is entered on a page you built, on your server, yes - SSL and PCI. If your sending the user to another site (ie: Paypal or using Stripes JS code) - no, it's on them.
Most programmers should at least read the parts of OWASP that pertain to their language (https://www.owasp.org). If it gets entered into a form and stored in some sort of DB, you should at least code with basic precautions.
Most organizations utilize third parties to handle credit card info so they don't have to be PCI compliant.
That's not true. If you enable payment by credit card at all, you're subject to PCI. Even a SAQ A[1] category merchant (payment page entirely hosted and managed by a PCI-compliant, third-party payment processor) are required to formally confirm that their processor is currently PCI compliance, have written rules of engagement with the processor and obey the PCI data handling and retention requirements. And if you embed your payment page in your own page (technically, if any part of the payment page is served from your site and not the processors site) then you're a SAQ-AP merchant[2], and you'll be expected to conform to a lot more of the standard.
[1] https://www.pcisecuritystandards.org/documents/Understanding... [2] https://www.clerkendweller.uk/2014/3/7/PCIDSS-SAQ-AEP-and-SA...
If you develop a site that takes payment via credit card, even when processed by a third party processor, it's pretty irresponsible not to be familiar with it. Even if you're only attesting to being a SAQ A merchant, you'll want to know why. There's not that much too it, and it's really the minimum you should be thinking about.
That said, we'd all live in a better world of every web developer knew the OWASP recommendations inside and out. I can dream.