amuck-landowner

Anyone need free billing? :)

jhadley

New Member
Verified Provider
Hi everyone,

I've decided to 'open up' Loading Deck, i.e. make it free.

More information is here.

Also happy to answer any questions. If you do decide to use it, an announcement retweet or follow @loadingdeck on Twitter would be appreciated :)

This is not specifically for web hosts, and web hosts will see some limitations (e.g. order form is still being made) but freelancers - designers, consultants etc. should really enjoy it.

 

James
 
Last edited by a moderator:

notFound

Don't take me seriously!
Verified Provider
Awesome stuff, will see how flexible it is for my mum's business soon. This should be fun.
 

Erawan

Member
It's makes me curious, because I believe I saw you offering loading deck in this few weeks, so no one purchased it yet?
 

shovenose

New Member
Verified Provider
Erm, question. Not trying to be rude but you're kind of pulling a hostbill in that you're changing pricing all the time. Since it's a hosted solutoin, does it let me download the MySQL database for my stuff if I ever want to bail and move to another solution, like in case you decide you're going to close up shop??

Hope that makes sense :)
 

jhadley

New Member
Verified Provider
Erm, question. Not trying to be rude but you're kind of pulling a hostbill in that you're changing pricing all the time. Since it's a hosted solutoin, does it let me download the MySQL database for my stuff if I ever want to bail and move to another solution, like in case you decide you're going to close up shop??

Hope that makes sense :)
I would disagree with the HB statement - there has only really been one change since the launch of LD, although I did run an extended trial.

With regard to moving away, a new release is going to be applied very soon with a detailed API which will be the recommended way of moving. If you need a MySQL dump just ask :)

James
 

blergh

New Member
Verified Provider
First it was called billr, had issues & got "audited" and then changed name to loadingdeck? This is confusing. The product might be great for all i know, but it being a hosted solution with owners who seem to be having monetary issues (or having a hard time making their minds up) i think i will pass.

Oh, the reason for it all to be free is that you want our data for research? How about nope.
 
Last edited by a moderator:

Aldryic C'boas

The Pony
What guarantees of safety/security do you provide?  And should a compromise occur (nothing, nothing is 100% locked down), what is your proposed compensation and course of action?
 

tchen

New Member
"Over 50 PCI gateways are available for £10 per month via Spreedly, enabling you to accept credit cards without passing PCI compliance."

:huh: - Please lookup SAQ-A.  That said, Loading Deck as a third-party that deals with and has access to cardholder data (even indirectly through Spreedly) should have PCI compliance.
 

Shados

Professional Snake Miner
"Over 50 PCI gateways are available for £10 per month via Spreedly, enabling you to accept credit cards without passing PCI compliance."

:huh: - Please lookup SAQ-A.  That said, Loading Deck as a third-party that deals with and has access to cardholder data (even indirectly through Spreedly) should have PCI compliance.
Emphasis mine; they're saying that you don't have to have PCI compliance, not that they don't. At least, that's how I'm reading it.
 
Last edited by a moderator:

HalfEatenPie

The Irrational One
Retired Staff
What guarantees of safety/security do you provide?  And should a compromise occur (nothing, nothing is 100% locked down), what is your proposed compensation and course of action?
Basically this.  Every single time when I've stated I dislike the SaaS because of possible security breaches you answer with "We won't get hacked".  That's all fine and dandy from your side but I just would not like to take that risk.  It makes you a much bigger target the bigger you grow with a bigger payout if you do get hacked.  Because of such high risks involved I'd prefer to host on my own platform.  

I would love to try it out, and have been liking it for a while, but the SaaS does not fly with me at all.  

Here, can you specify why we can trust a billing SaaS over our own/personal installation?
 
Last edited by a moderator:

jhadley

New Member
Verified Provider
"Over 50 PCI gateways are available for £10 per month via Spreedly, enabling you to accept credit cards without passing PCI compliance."

:huh: - Please lookup SAQ-A.  That said, Loading Deck as a third-party that deals with and has access to cardholder data (even indirectly through Spreedly) should have PCI compliance.
No, we won't touch the cardholder data and can't see it. Half of the value in Spreedly is that it does all of that itself with transparent redirects (a little like Stripe).

What guarantees of safety/security do you provide?  And should a compromise occur (nothing, nothing is 100% locked down), what is your proposed compensation and course of action?
Given this is free, there won't be any compensation. It would simply be a case of being open about the problem, fixing it and restoring from a backup.

Basically this.  Every single time when I've stated I dislike the SaaS because of possible security breaches you answer with "We won't get hacked".  That's all fine and dandy from your side but I just would not like to take that risk.  It makes you a much bigger target the bigger you grow with a bigger payout if you do get hacked.  Because of such high risks involved I'd prefer to host on my own platform.  

I would love to try it out, and have been liking it for a while, but the SaaS does not fly with me at all.  

Here, can you specify why we can trust a billing SaaS over our own/personal installation?
It depends which systems you're comparing, and what measures you yourself take to secure it. Ask yourself how secure what you're using at the moment really is. I think it's better I don't publicly post all of the security measures that are in place.

yes, but not hosted. I prefer self hosted solution
Use something else then :)
 

Aldryic C'boas

The Pony
Given this is free, there won't be any compensation. It would simply be a case of being open about the problem, fixing it and restoring from a backup.
That doesn't answer the first question - what guarantees of security can you give?  What measures do you take (in technical terms, not layman’s) to prevent security leaks? 

What does "fixing it" entail?  Pulling a Solus/WHMCS and releasing a new patch every two days?  Are you required to report CC theft in the event of a data breach?  I notice you specifically mentioned "restoring from a backup" - I'm not talking about a bug/breach that destroys data.  I'm specifically asking your plan of action in the event that all of the data you store is compromised and leaked, not destroyed.
 

tchen

New Member
No, we won't touch the cardholder data and can't see it. Half of the value in Spreedly is that it does all of that itself with transparent redirects (a little like Stripe).
As the third party that people are relying on for SAQ-A, YOU need to be compliant.
 

tchen

New Member
Emphasis mine; they're saying that you don't have to have PCI compliance, not that they don't. At least, that's how I'm reading it.
Which is a wrong statement in and of itself. It's a basic error that anyone who has touched the PCI forms wouldn't make.
 

jhadley

New Member
Verified Provider
That doesn't answer the first question - what guarantees of security can you give?  What measures do you take (in technical terms, not layman’s) to prevent security leaks? 

What does "fixing it" entail?  Pulling a Solus/WHMCS and releasing a new patch every two days?  Are you required to report CC theft in the event of a data breach?  I notice you specifically mentioned "restoring from a backup" - I'm not talking about a bug/breach that destroys data.  I'm specifically asking your plan of action in the event that all of the data you store is compromised and leaked, not destroyed.
The only guarantee I can realistically offer is that normal, reasonable precautions have been taken to protect the data, including server security and code quality. I deliberately don't want to go into too much detail around this for obvious reasons, save to say that it includes a firewall, brute force protection, VPN-only and key-only access to certain services, a code-checking process whereby code is checked by further developers before going live, frequent system and framework updates and so forth.

As the third party that people are relying on for SAQ-A, YOU need to be compliant.
I have had several conversations with Spreedly and 403labs on this subject and, honestly, it seems to be a grey area. However, it's irrelevant for the moment as only Paypal and GoCardless are being used (there is no option on the website to enable the other gateways).
 

tchen

New Member
I have had several conversations with Spreedly and 403labs on this subject and, honestly, it seems to be a grey area. However, it's irrelevant for the moment as only Paypal and GoCardless are being used (there is no option on the website to enable the other gateways).
It's grey in that there's no specific form to fill for a SaaS and is a case by case basis. It's the sharing of responsibility that changes, and it is not a release of the SaaS from any compliance requirements.
https://www.pcisecuritystandards.org/pdfs/PCI_DSS_v2_Cloud_Guidelines.pdf


I hope you do address this topic again when you decide to turn on the other gateways. As it stands, your customers would be exposed to the compliance fines.
 
Last edited by a moderator:

Aldryic C'boas

The Pony
The only guarantee I can realistically offer is that normal, reasonable precautions have been taken to protect the data, including server security and code quality. I deliberately don't want to go into too much detail around this for obvious reasons, save to say that it includes a firewall, brute force protection, VPN-only and key-only access to certain services, a code-checking process whereby code is checked by further developers before going live, frequent system and framework updates and so forth.
Sorry mec, but that’s not really a guarantee at all.  Reasonable by whose standards?  What precautions?  Were your security implementations tested and verified by a trusted third party, or are you making this claim on the assumption that your work, reviewed only by yourself, is good enough?

What obvious reasons? o_O  The only one I can think of is that you worry going into detail will reveal that things aren't quite as secure as you market them to be.  I point this out because the entirety of the quoted paragraph above could be used to describe Solus, WHMCS, and numerous other panels with known flaws.

You also ignored over half of my prior response, so I'll post it again:

What does "fixing it" entail?  Pulling a Solus/WHMCS and releasing a new patch every two days?  Are you required to report CC theft in the event of a data breach?  I notice you specifically mentioned "restoring from a backup" - I'm not talking about a bug/breach that destroys data.  I'm specifically asking your plan of action in the event that all of the data you store is compromised and leaked, not destroyed.

I realize it seems like I'm just giving you a hard time - but for all of your projects you tend to advertise and describe as someone from a marketing department would - not how a developer would.  This naturally would lead people to wonder if you have the technical expertise to back up your claims.  Speaking from the viewpoint of someone involved frequently with development; if I were in the market for a billing system, your responses to questions in this thread would've thoroughly convinced me that LoadingDeck (along with billr and any of your other projects) would not be up to standard for what I consider secure/efficient.

Just a bit of advice - I know you have a history of starting things, getting them clear of beta, then letting them just kinda fade into obscurity.  You're treading rather dangerous ground now, to be employing that attitude with a system designed to store information about people and finances.  Your claim of "Use at own risk, it's free lol" doesn't make you immune to the regulations and policies that apply to running such enterprises.  Nor is anyone likely to forgive you should something catastrophic occur, and the best you can do for them is "What did you expect, you weren't paying anything".  If you're going to try and do something important, at the very least take the time to think things through and plan properly/accordingly.
 
Top
amuck-landowner