streamWrite Blog

News, events and useful information

Portals Hosted Software Now PCI DSS Compliant in New Data Center

Over the past year StreamWrite has been configuring a new hosting center for Portals hosted customers using Amazon's AWS services.

AWS Logo

AWS is Amazon's secure cloud services platform. And, while this platform is PCI DSS Certified (see AWS PCI DSS Compliance), the Portals software had yet to achieve that certification, that is until early 2018. 

As of February of this year, Portals hosted in our new AWS data center is also now PCI DSS certified.

More on PCI DSS here.

We are excited to have achieved this goal as customers continue to roll out secure applications using our Portals Cloud offering.

If you are looking for PCI compliance as a Portals premise customer, the certification process must be completed by you, the merchant. Portals does meet all of the requirements necessary if you are using a Portals application to take payments in your data center.

OpenID Connect for Portals Authentication

For apps requiring authentication Portals is using OpenID Connect as the default method for authenticating users. One advantage of OpenID Connect as an authentication service is that, you, our Portals customer, can leverage your preferred authentication service from a variety of providers including Microsoft, Google, Yahoo and others.

OpenID Connect Logo

OpenID Connect differs from OAuth 2.0 in that OpenID Connect is an authentication service (authenticating users) and OAuth 2.0 is an authorization service (authorizating access to resources).  OpenID delegates authentication services to your preferred provider eliminating the need to store local credentials on Portals. It also allows you to use one set of credentials across a variety of services, simplifying administration and security.

OpenID Connect sits on top of the OAuth 2.0 protocol as a simple identity layer. Software clients, such as Portals can verify the identity of your end user by leveraging an OpenID Authorization Server. It can also obtain basic profile information about your end user.

There are several good articles on the subject with a lot more detail. A few are pasted below for your convenience.
https://openid.net/connect/

http://cakebaker.42dh.com/2008/04/01/openid-versus-oauth-from-the-users-perspective/

https://stackoverflow.com/questions/1087031/whats-the-difference-between-openid-and-oauth