21 replies to this topic

[offordscott]

I have read a few threads about PCI compliance and I am still left wondering.

1. Do you really have to hire a 3rd party company to scan your system for compliance?
2. My payment gateway is a PCI compliant company, but is OsCommerce built to be PCI compliant out of the box?
3. So long as my server has an SSL does that mean I am compliant?
4. Does storing your database on a different server from my webstore give me PCI compliance?

Thank you for your help clearing this up. I'm looking for short, clear, factual answers.

Scott

[enigma1]

The moment you go with an external gateway (item-2 from your list) to cover the payments there the PCI is not applicable, because no cc info is stored with the server. (And you can confirm that by examining the payment module itself).

If you manage the credit cards in your store yourself...(ie: storing cc details in your dbase). In that case you would have to change several aspects of the osc to make it compliant and you would have to go through the pci spec and check every single item.

[offordscott]

Thank you for your reply enigma1

Scott Offord
http://scottofford.com

[toyicebear]

First if you plan on taking payment by cc onsite , then yes you need to be PCI compliant.


1. Depends on your volum of transactions, you can check qualifying levels on the PCI web site.

2. If you use RC1 then yes....

3. SSL is mandatory but does not make you compliant as such.

4. No necessarily, the conditions are more complex than that...


Easy way to be pci compliant...

1. Use osCommerce RC1

2. Use SSL in the checkout process.

3. Use a PCI compliant payment gateway company with a sutible osCommerce payment module.

[RoninS14]

I was told that one of the requirements was that you HAD to have a dedicated server for your ecommerce site. You can't use share hosting anymore. Is that true?

[porpoise1954]

RoninS14, on Dec 6 2007, 11:13 PM, said:

I was told that one of the requirements was that you HAD to have a dedicated server for your ecommerce site. You can't use share hosting anymore. Is that true?

Yes, if *YOU* are collecting the data and storing it, *YOU* must be PCI compliant. That's why it's a *MUCH* better idea to use a 3rd party to handle the data (ie. a PROPER payment gateway). That way, *THEY* are the ones that need to be PCI compliant (all the reputable ones are).

[RoninS14]

dammit, as of right now I am collecting the information and storing it in the sql database. Looks like I gotta down the site for now and check with my cc processor for some solutions and options.

[scranmer]

We have helped several companies through PCI compliance and the previous info is all accurate. Its deadly simple

• just ensure you use SSL for all the checkout area (is possible)
  
• use one of the merchants that handles the payment process or hold the "whole" card info for as little time as possible on the server or split it over multiple emails
  
• destroy the payment info at your end as soon as the transaction is authorised or rejected

*** But most of all *** as soon as you can afford it, sign up for one of the systems that offers PCI server checks.
This will possibly highlight some horrid problems with your hosts to start with but 99% of the time they are simple problems to overcome. Just send the hosts a polite email explaining what you are doind, what is the problem is and Im sure they will help. This will ensure that hackers have a very hard time compromising your server and therefore accessing your data.

HTH

Si.

[Vger]

Quote

1. Depends on your volum of transactions, you can check qualifying levels on the PCI web site.

That used to be true, but unfortunately, for USA based websites at least, there is now no minimum number of transactions to qualify for level 4 PCI compliance.

Quote

2. If you use RC1 then yes....

That's a big No. RC1 still stores credit card data in the database, and includes the default credit card module for running transactions manually through an EPOS machine.

Vger

[scranmer]

Vger, on Dec 28 2007, 02:01 PM, said:

That used to be true, but unfortunately, for USA based websites at least, there is now no minimum number of transactions to qualify for level 4 PCI compliance.
That's a big No. RC1 still stores credit card data in the database, and includes the default credit card module for running transactions manually through an EPOS machine.

Vger

if anyone is still using RC1 or the standard cc system & EPOS, I have created a mod that captures cvv & has a delete button to remove the info via admin once you have procesed the details. It would only take a mow to also update the card to hide the middle numbers or delete the card info totaly if anyone needs it.

[greyman56]

scranmer, on Dec 31 2007, 03:08 AM, said:

if anyone is still using RC1 or the standard cc system & EPOS, I have created a mod that captures cvv & has a delete button to remove the info via admin once you have procesed the details. It would only take a mow to also update the card to hide the middle numbers or delete the card info totaly if anyone needs it.

Hi,

Is this available anywhere? I'd like to see if it is useable for a client of ours.

Thanks

[toyicebear]

Vger, on Dec 28 2007, 06:01 PM, said:

No. RC1 still stores credit card data in the database, and includes the default credit card module for running transactions manually through an EPOS machine.

Vger

I were not refering to the use of manual collection of cc info, which is a no unless you are totaly pci compliant. And i for one hope the default cc module is removed from future oscommerce versions!

I were refering to the fact that from RC1 there was done a modification which alowes the cc info to be "collected" on the checkout_confirmation page and then be sent directly to the payment gateway without any temporary "saving" of info between.

Older versions collects the cc info on checkout_payment and as such stores the info temporarily before its sent to the gateway which gets you into a grey area in regards to PCI compliance.

Edited by toyicebear, 20 February 2008, 01:10.

[scranmer]

mmm good point but if you install the latest version of your module does this not have a fix in for this? also I’ve been lead to believe this is a "grey" area or should I say "open to interpretation" and as long as its a very short amount of time and the tmp files deleted your fine (i take it you are talking about a session file - encrypted hopefully - that is NOT in a tmp file used by others on a shared machine).

Anyway, in general if the payment facility is handled on the merchant’s machine (so at the point of entering the card it’s not showing your site in the URL) then your 100% fine.

If you are using the manual cc info just search and read the contributions, mine can be found at
http://www.oscommerce.com/community/contri...ry,1/search,cvv

I’ve seen others that also hide the central numbers etc - never tried it before but found this in 10 seconds and sounds like a good starting place
http://www.oscommerce.com/community/contri...ry,1/search,cvv

I would check them all out from here and make a short list...
http://www.oscommerce.com/community/contri...ry,1/search,cvv

Si.

[scranmer]

it would be worth checking out this one
http://www.oscommerce.com/community/contri...search,security

Edited by scranmer, 20 February 2008, 07:42.

[earth-friendly]

scranmer, on Dec 28 2007, 11:07 AM, said:

We have helped several companies through PCI compliance and the previous info is all accurate. Its deadly simple

• just ensure you use SSL for all the checkout area (is possible)
  
• use one of the merchants that handles the payment process or hold the "whole" card info for as little time as possible on the server or split it over multiple emails
  
• destroy the payment info at your end as soon as the transaction is authorised or rejected

*** But most of all *** as soon as you can afford it, sign up for one of the systems that offers PCI server checks.
This will possibly highlight some horrid problems with your hosts to start with but 99% of the time they are simple problems to overcome. Just send the hosts a polite email explaining what you are doind, what is the problem is and Im sure they will help. This will ensure that hackers have a very hard time compromising your server and therefore accessing your data.

HTH

Si.

I was told by a scanning company, ControlScan, that as long as the credit card information is collected on my site, and then sent to the payment gateway (authorize.net in my case), my webhosting server needs to be PCI compliant. Even though I am not storing the credit card numbers in my database. Is this true?? My webhosting company is great, but there are certain pci compliance issues that they say they cannot satisfy on their shared hosting environment: certain mail-related vulnerabilities, where the login and password are not collected thru ssl, so are passed in cleartext.
Has anyone had a scan pass on a shared hosting environment? Which scanning company did you use? I suspect that this scanning company is extra strict.
I really, really don't want to change my webhosting company! But the scanning company told me that any merchant who is not PCI compliant by October, 2008, will no longer be able to process Visa cards.

Thanks in advance for any suggestions!
-Lori-

[toyicebear]

scranmer, on Feb 20 2008, 07:02 AM, said:

mmm good point but if you install the latest version of your module does this not have a fix in for this? also I’ve been lead to believe this is a "grey" area or should I say "open to interpretation" and as long as its a very short amount of time and the tmp files deleted your fine (i take it you are talking about a session file - encrypted hopefully - that is NOT in a tmp file used by others on a shared machine).

Anyway, in general if the payment facility is handled on the merchant’s machine (so at the point of entering the card it’s not showing your site in the URL) then your 100% fine.

If you are using the manual cc info just search and read the contributions, mine can be found at
http://www.oscommerce.com/community/contri...ry,1/search,cvv

I’ve seen others that also hide the central numbers etc - never tried it before but found this in 10 seconds and sounds like a good starting place
http://www.oscommerce.com/community/contri...ry,1/search,cvv

I would check them all out from here and make a short list...
http://www.oscommerce.com/community/contri...ry,1/search,cvv

Si.

Those are all for manual collection of cc info, which means that you have to be completely PCI compliant. (If you are on shared hosting, then just forget it)

AND you are under no circumstances alowed to store CVV or CVV2 info!

Here is a quote from another tread:

Quote

IridiumCorp Feb 12 2008, 01:34 PM

There seems to be some confusion about PCI compliance and card details storage so I shall clarify. Being a payment gateway you can take this as the definitive answer.

A card merchant is any merchant who uses any device, be it instore, online, or over the phone. Every merchant who receives, transmits, or stores or all of the before mentioned MUST be PCI compliant. PCI compliance is a set of rules that governs how a merchant handles card details and if any merchant who takes card, regardless of the medium, has a security breach ( ie you have been having details emailed to you from you website and your computer gets stolen and the thief sells on the card details ) you are liable to be fined as a merchant - bank - whatever for each card record stolen.

So you can trade without being PCI compliant but if you get caught out you could face fines, being card scheme black listed, being personally black listed or all.

Clevelandweb,

Transactions originating over the web MUST be flagged as internet transactions. There is no other way to do it than through a gateway. If you take your card details from a website and process them manually through your terminal these are the following violations you are carrying out.

1. In proper transaction flagging.
2. Numerous PCI violations.
3. In proper MCC coding.
4. 3D Secure avoidance
5. Processing a card holder present transaction without giving a receipt at the point of transaction.

There are more but you get the point. Anyone of these is serious enough to have your merchant account yanked by the bank if they find out.

Now if you have a terminal you already have a merchant account. Getting that extended to take internet payments is as easy as a phone call. If your acquiring bank tries to charge you setup fees tell them no. I can set you up an IMA for nothing if they persist.

Once you have an IMA register it with a gateway. Tie your website into the gateway. Get yourself PCI compliant. Its easy and can be done in a couple of hours if you use a service like :

Scan Alert

Its 149 USD per year and is an invaluable exercise to go through. It makes sure you are trading safe. It makes sure if something goes wrong that you are protected from card scheme retribution.

Hope that clears this up once and for all.

IRC

[FlyingKites]

Using a third party gateway does not make you PCI Compliant. It is quite possible to hack a site to steal CC numbers on route to a third party gateway and therefore you must protect the site against such hacks.

1. CC Handling

In order to be PCI Compliant with regard to CC handling you must:

a) use SSL on pages that handle the CC number (which includes ADMIN)
encrypt the storage of CC numbers and any other customer identifying data eg. Billing Name and Address, if you store this data
c) never store the CVV number

For people storing CC data, it is not clear if you have to clear the CC number from your database once the payment has been processed. However unless your site uses a remember me feature which includes the card then it is best practice to do so.


2. CC Access

You need to control who has access to CC data. This means you control who has access to Admin. Each user is supposed to have a unique userid and password and their access should be logged.


3. Environment

In order to protect CC data the environment the site runs under has to be secure. All software has to be configured properly to ensure proper security controls and all software has to be up to date. For example, you should be running php V4.4.8 or the latest V5 release. But it is not only php, it is any software on the server that your site uses. All software has to be upgraded within 1 month of a new release. This requirement makes it almost impossible to be PCI complaint in a shared hosting environment.



I have not read any official PCI material where it says you cannot start a transaction online, as in collect teh CC details, and complete it offline. There are many business models where you do not know the total charge until after the customer has placed the order. Therefore it stands to reason that the collection of the card details occurs some time prior to the completion of the transaction.

[toyicebear]

1. You can not store the CVV/CVV2 3 digit security code. (Not even for a short periode)

Storing it and then deleting it after having processed the order is not alowed eighter.


2. If you are PCI compliant you can store the cc info, but its still advised that after you have processed the payment that you delete all except the 4 last digits.


If you are not PCI compliant you can not store the cc info not even for a short periode prior to processing it offline.


There are now several providers who offer the possibilety of storing the cc info for you in a PCI compliant enviroment on their secure servers, where you can access the info for offline processing at need.

Edited by toyicebear, 28 July 2008, 16:32.

[Vger]

In the United Kingdom it depends on which Bank you use as to whether your site and the server it sits on has to be PCI compliant or not. In the USA you have to be PCI compliant - period!

1. You MUST have ssl.
2. You MUST NOT store credit card data in a shared hosting environment.
3. The website must be generally secure e.g. no 777 permissions anywhere.
4. Any files with .bak or similar file extensions - get rid of them. They are a FAIL.
5. The server your website is on must pass the scan as well.

Vger

[webbydeb]

I'm PCI Compliant. I use OSCommerce MS2, have a gateway merchant, bank holds all the cc info, use control scan to thouroughly check my dedicated server, and have SSL. It's a pain in the ass to get compliant, but if you don't do it, you won't be able to do business soon so you might as well go through the process sooner rather than later. Thank god the hosting company takes care of all the security and maintenance on my server so they hopped to it when control scan said "do this" or "do that". *laughing*