We are new start up E commerce company selling software. I would like to go through the PCI compliance testing however they stated we have to go through a questionaire. I really don't want to pay $319 and then not get the certification. I know it is important but isn't osCommerce software secure? I am not a web developer but the site owner. We use Paypal Pro with express checkout and direct checkout. Any thoughts or comments would be appreciated.
Thanks
Latest News: (loading..)
0
11 replies to this topic
#2
Posted 02 December 2008, 02:29
Hi Apo,
PCI compliance testing involves a questionnaire and a remote scan of your site and the server that it resides on. I have gone through this with Trustwave, but there are many out there to choose from. In their case, getting a "fail" on either segment of the certification process didn't mean that I was booted out in shame and had wasted my money- it just meant that I needed to fix those areas to get a pass. I think I paid about $250, and for that I got a year's worth of monthly re-scans, and I can intitiate four additional scans at times of my own choosing, if I want to.
osCommerce is fairly secure (although one of my scans found a vulnerability to cross-site scripting in my "advanced search" function, so I just removed it since I didn't need it) - but beware if you have installed contributions, since vulnerabilities can creep in that way.
I recommend PCI certification if you can afford it, as a security measure. Also, if you collect credit card data on your own site pages, PCI-certification is likely to be required by your payment processor (which may be your bank or another financial institution). If your arrangement sends the customer to the pages of the payment gateway in order to enter their cc#, then certification may not be required.
Hope this helps,
~Wendy
PCI compliance testing involves a questionnaire and a remote scan of your site and the server that it resides on. I have gone through this with Trustwave, but there are many out there to choose from. In their case, getting a "fail" on either segment of the certification process didn't mean that I was booted out in shame and had wasted my money- it just meant that I needed to fix those areas to get a pass. I think I paid about $250, and for that I got a year's worth of monthly re-scans, and I can intitiate four additional scans at times of my own choosing, if I want to.
osCommerce is fairly secure (although one of my scans found a vulnerability to cross-site scripting in my "advanced search" function, so I just removed it since I didn't need it) - but beware if you have installed contributions, since vulnerabilities can creep in that way.
I recommend PCI certification if you can afford it, as a security measure. Also, if you collect credit card data on your own site pages, PCI-certification is likely to be required by your payment processor (which may be your bank or another financial institution). If your arrangement sends the customer to the pages of the payment gateway in order to enter their cc#, then certification may not be required.
Hope this helps,
~Wendy
#3
Posted 02 December 2008, 05:15
WoodsWalker, on Dec 2 2008, 02:29 AM, said:
Hi Apo,
PCI compliance testing involves a questionnaire and a remote scan of your site and the server that it resides on. I have gone through this with Trustwave, but there are many out there to choose from. In their case, getting a "fail" on either segment of the certification process didn't mean that I was booted out in shame and had wasted my money- it just meant that I needed to fix those areas to get a pass. I think I paid about $250, and for that I got a year's worth of monthly re-scans, and I can intitiate four additional scans at times of my own choosing, if I want to.
osCommerce is fairly secure (although one of my scans found a vulnerability to cross-site scripting in my "advanced search" function, so I just removed it since I didn't need it) - but beware if you have installed contributions, since vulnerabilities can creep in that way.
I recommend PCI certification if you can afford it, as a security measure. Also, if you collect credit card data on your own site pages, PCI-certification is likely to be required by your payment processor (which may be your bank or another financial institution). If your arrangement sends the customer to the pages of the payment gateway in order to enter their cc#, then certification may not be required.
Hope this helps,
~Wendy
PCI compliance testing involves a questionnaire and a remote scan of your site and the server that it resides on. I have gone through this with Trustwave, but there are many out there to choose from. In their case, getting a "fail" on either segment of the certification process didn't mean that I was booted out in shame and had wasted my money- it just meant that I needed to fix those areas to get a pass. I think I paid about $250, and for that I got a year's worth of monthly re-scans, and I can intitiate four additional scans at times of my own choosing, if I want to.
osCommerce is fairly secure (although one of my scans found a vulnerability to cross-site scripting in my "advanced search" function, so I just removed it since I didn't need it) - but beware if you have installed contributions, since vulnerabilities can creep in that way.
I recommend PCI certification if you can afford it, as a security measure. Also, if you collect credit card data on your own site pages, PCI-certification is likely to be required by your payment processor (which may be your bank or another financial institution). If your arrangement sends the customer to the pages of the payment gateway in order to enter their cc#, then certification may not be required.
Hope this helps,
~Wendy
Wendy,
Your response was very helpful. I am looking into the McAfee PCI Compliance testing for $319/yearly. It looks like they have some great support and I can also graduate into Mcafee Daily Security as well. My next question pertains to the questionaire. How difficult is it to fill out?
#4
Posted 02 December 2008, 15:26
Hi Apo,
You will likely have a choice of questionnaires, depending on your business model. As I do store credit card numbers on a local non-networked PC (from telephone orders and fax orders), I thought it was appropriate to fill out the longest one. If you never store CC#'s at all, I think you can fill out one of the shorter ones (or so I recall).
Even the longest questionnaire was easy - it was just long. I think it took me 2-3 hours. It covered every business practice you can imagine, and a lot about networks and such that did not apply to me. On most questions I had the option to replying "does not apply". It is important to answer honestly, because of course you want to be secure. The questionnaire is very educational and makes you aware of just where the risks lie in electronic transmission and storage of data.
I passed on my first try. I think there is a fairly wide margin.
Let us know how it goes!
~Wendy
You will likely have a choice of questionnaires, depending on your business model. As I do store credit card numbers on a local non-networked PC (from telephone orders and fax orders), I thought it was appropriate to fill out the longest one. If you never store CC#'s at all, I think you can fill out one of the shorter ones (or so I recall).
Even the longest questionnaire was easy - it was just long. I think it took me 2-3 hours. It covered every business practice you can imagine, and a lot about networks and such that did not apply to me. On most questions I had the option to replying "does not apply". It is important to answer honestly, because of course you want to be secure. The questionnaire is very educational and makes you aware of just where the risks lie in electronic transmission and storage of data.
I passed on my first try. I think there is a fairly wide margin.
Let us know how it goes!
~Wendy
Edited by WoodsWalker, 02 December 2008, 15:27.
#5
Posted 02 December 2008, 15:54
Wendy,
Thank you. I am using Paypal PRO. I have the EXPRESS CHECKOUT button and a regular CHECKOUT button. One takes the customer to PAYPAL's site and the other puts in the credit card number on my site. However Paypal still processes this. I do not see the full credit card. Does this mean that PAYPAL has the numbers?
Thank you,
Thank you. I am using Paypal PRO. I have the EXPRESS CHECKOUT button and a regular CHECKOUT button. One takes the customer to PAYPAL's site and the other puts in the credit card number on my site. However Paypal still processes this. I do not see the full credit card. Does this mean that PAYPAL has the numbers?
Thank you,
#6
Posted 03 December 2008, 15:58
I'm not an expert on PayPal, but from what you describe, one of these options has the customer inputting the numbers into a page on your site. Even though you never see the full credit card number this way (only PayPal "sees" it), it has been processed through your site, and so your site will need to be PCI-compliant.
You might be able to get around this by only using the option that sends customers to a PayPal page in order to enter their number. That way the receiving and processing of the transaction itself completely bypasses your site and its server.
~Wendy
You might be able to get around this by only using the option that sends customers to a PayPal page in order to enter their number. That way the receiving and processing of the transaction itself completely bypasses your site and its server.
~Wendy
#7
Posted 03 December 2008, 16:01
Wendy,
Mcafee just completed the PCI Complianced testing and I passed! There are some minor issues to work out but I am now PCI Compliant. Let me know if anyone has any questions. A very simple and straightforward process.
Thanks
Mcafee just completed the PCI Complianced testing and I passed! There are some minor issues to work out but I am now PCI Compliant. Let me know if anyone has any questions. A very simple and straightforward process.
Thanks
#8
Posted 03 December 2008, 18:06
apopilot, on Dec 3 2008, 09:01 AM, said:
Wendy,
Mcafee just completed the PCI Complianced testing and I passed! There are some minor issues to work out but I am now PCI Compliant. Let me know if anyone has any questions. A very simple and straightforward process.
Thanks
Mcafee just completed the PCI Complianced testing and I passed! There are some minor issues to work out but I am now PCI Compliant. Let me know if anyone has any questions. A very simple and straightforward process.
Thanks
apo,
Is your oscommerce site on a shared server or your own?
) ... so rumors that you cannot get PCI-certification for a site on a shared server are false.
