Jump to content


Corporate Sponsors


Latest News: (loading..)

- - - - -

How Do I Know If Oscommerce Is Built To Be Pci Compliant?

Started by offordscott, Jun 19 2007, 20:35

21 replies to this topic

#21 web-project

  • Community Member
  • 4,266 posts
  • Real Name:Alex
  • Gender:Male
  • Location:Hertfordshire, UK

Posted 29 July 2008, 21:03

Quote

Easy way to be pci compliant...

1. Use osCommerce RC1

2. Use SSL in the checkout process.

3. Use a PCI compliant payment gateway company with a sutible osCommerce payment module.

not only, as you store should be installed on dedicated server or dedicated environment, as some web host don't bother about security of the clients websites.

Edited by web-project, 29 July 2008, 21:06.

Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!
8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.
Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.
Any issues with oscommerce, I am here to help you.

#22 WoodsWalker

  • Community Member
  • 387 posts
  • Real Name:Wendy
  • Gender:Female
  • Location:CANADA

Posted 13 August 2008, 15:17

Hi, All!

I just noticed this thread, and thought I'd put in my 2 cents. I designed an osCommerce catalogue this past spring for my existing business, and found that I had to become PCI compliant in order to hook it up with my payment processor, Moneris.

My site is hosted, with SSL, on a shared server with Bell Hosting.

I was worried about the PCI system scan, but my setup passed, and I got hooked up with Moneris's eSelect system, and everything proceeded well.

If you would like more details, I posted them here: PCI Compliance Inspection - Anyone gone through it?

My only concern now is that stricter PCI regulations apparently came into effect on July 1, and since then, I have not been passing the monthly scans. This has not affected my operations, as Moneris does not require frequent proof of compliance (perhaps eventually they will request a current certificate?). But in the mean time, I'd like to get up to snuff again.

My PCI-certifier is Trustwave (Trustkeeper). They provide a gratifyingly detailed report about their scans, which identified the areas of vulnerability. I forwarded the results to Bell Hosting. They replied that their servers were indeed compliant, and explained that Trustkeeper's protocols included tests that were irrelevant to my particular site.

If I wished to pursue this (as I would be obliged to if Moneris required it), I could get involved with Trustkeeper's appeals process, where they examine the results on a case-by-case basis. I may end up doing this in future. Or, Bell Hosting may tighten up its security to the point that it passes all scans, irrelevant or not.

I'm sure the hosting folks out there are feeling most frustrated. PCI-certification scans are not standardized, and some companies are much more conservative than others. Then again, some hosting companies are much more lax than others. This leaves folks like us merchants smack dab in the middle.

I guess it's all part of the process of using newish technology to perform somehat risky business. Maybe it will be easier for our children and grandchildren.

Happy to say I'm still enjoying doing business! :)

~Wendy

Edited by WoodsWalker, 13 August 2008, 15:18.

Back to E-Commerce Laws · Next Unread Topic →


  1. osCommerce Support Forum
  2. General Topics
  3. E-Commerce Laws
  4. Forum Rules