Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Archived

This topic is now archived and is closed to further replies.

offordscott

How Do I Know If Oscommerce Is Built To Be Pci Compliant?

Recommended Posts

I have read a few threads about PCI compliance and I am still left wondering.

 

1. Do you really have to hire a 3rd party company to scan your system for compliance?

2. My payment gateway is a PCI compliant company, but is OsCommerce built to be PCI compliant out of the box?

3. So long as my server has an SSL does that mean I am compliant?

4. Does storing your database on a different server from my webstore give me PCI compliance?

 

Thank you for your help clearing this up. I'm looking for short, clear, factual answers.

 

Scott

Share this post


Link to post
Share on other sites
Guest

The moment you go with an external gateway (item-2 from your list) to cover the payments there the PCI is not applicable, because no cc info is stored with the server. (And you can confirm that by examining the payment module itself).

 

If you manage the credit cards in your store yourself...(ie: storing cc details in your dbase). In that case you would have to change several aspects of the osc to make it compliant and you would have to go through the pci spec and check every single item.

Share this post


Link to post
Share on other sites

First if you plan on taking payment by cc onsite , then yes you need to be PCI compliant.

 

 

1. Depends on your volum of transactions, you can check qualifying levels on the PCI web site.

 

2. If you use RC1 then yes....

 

3. SSL is mandatory but does not make you compliant as such.

 

4. No necessarily, the conditions are more complex than that...

 

 

Easy way to be pci compliant...

 

1. Use osCommerce RC1

 

2. Use SSL in the checkout process.

 

3. Use a PCI compliant payment gateway company with a sutible osCommerce payment module.

Share this post


Link to post
Share on other sites

I was told that one of the requirements was that you HAD to have a dedicated server for your ecommerce site. You can't use share hosting anymore. Is that true?

Share this post


Link to post
Share on other sites
I was told that one of the requirements was that you HAD to have a dedicated server for your ecommerce site. You can't use share hosting anymore. Is that true?

 

Yes, if *YOU* are collecting the data and storing it, *YOU* must be PCI compliant. That's why it's a *MUCH* better idea to use a 3rd party to handle the data (ie. a PROPER payment gateway). That way, *THEY* are the ones that need to be PCI compliant (all the reputable ones are).


* * * * * * * * * * * * * * * * * * * * *

Porpoises are most happy when wet!

\ _ \ _ \ _ \ _ \ _ \ _ \ _ \ _ \ _ \ _ \ _ \ _

Share this post


Link to post
Share on other sites

dammit, as of right now I am collecting the information and storing it in the sql database. Looks like I gotta down the site for now and check with my cc processor for some solutions and options.

Share this post


Link to post
Share on other sites

We have helped several companies through PCI compliance and the previous info is all accurate. Its deadly simple

  • just ensure you use SSL for all the checkout area (is possible)
  • use one of the merchants that handles the payment process or hold the "whole" card info for as little time as possible on the server or split it over multiple emails
  • destroy the payment info at your end as soon as the transaction is authorised or rejected

*** But most of all *** as soon as you can afford it, sign up for one of the systems that offers PCI server checks.

This will possibly highlight some horrid problems with your hosts to start with but 99% of the time they are simple problems to overcome. Just send the hosts a polite email explaining what you are doind, what is the problem is and Im sure they will help. This will ensure that hackers have a very hard time compromising your server and therefore accessing your data.

 

HTH

 

Si.

Share this post


Link to post
Share on other sites
1. Depends on your volum of transactions, you can check qualifying levels on the PCI web site.

 

That used to be true, but unfortunately, for USA based websites at least, there is now no minimum number of transactions to qualify for level 4 PCI compliance.

 

2. If you use RC1 then yes....

 

That's a big No. RC1 still stores credit card data in the database, and includes the default credit card module for running transactions manually through an EPOS machine.

 

Vger

Share this post


Link to post
Share on other sites
That used to be true, but unfortunately, for USA based websites at least, there is now no minimum number of transactions to qualify for level 4 PCI compliance.

That's a big No. RC1 still stores credit card data in the database, and includes the default credit card module for running transactions manually through an EPOS machine.

 

Vger

 

if anyone is still using RC1 or the standard cc system & EPOS, I have created a mod that captures cvv & has a delete button to remove the info via admin once you have procesed the details. It would only take a mow to also update the card to hide the middle numbers or delete the card info totaly if anyone needs it.

Share this post


Link to post
Share on other sites
if anyone is still using RC1 or the standard cc system & EPOS, I have created a mod that captures cvv & has a delete button to remove the info via admin once you have procesed the details. It would only take a mow to also update the card to hide the middle numbers or delete the card info totaly if anyone needs it.

 

Hi,

 

Is this available anywhere? I'd like to see if it is useable for a client of ours.

 

Thanks

Share this post


Link to post
Share on other sites
No. RC1 still stores credit card data in the database, and includes the default credit card module for running transactions manually through an EPOS machine.

 

Vger

 

I were not refering to the use of manual collection of cc info, which is a no unless you are totaly pci compliant. And i for one hope the default cc module is removed from future oscommerce versions!

 

I were refering to the fact that from RC1 there was done a modification which alowes the cc info to be "collected" on the checkout_confirmation page and then be sent directly to the payment gateway without any temporary "saving" of info between.

 

Older versions collects the cc info on checkout_payment and as such stores the info temporarily before its sent to the gateway which gets you into a grey area in regards to PCI compliance.

Share this post


Link to post
Share on other sites

mmm good point but if you install the latest version of your module does this not have a fix in for this? also I’ve been lead to believe this is a "grey" area or should I say "open to interpretation" and as long as its a very short amount of time and the tmp files deleted your fine (i take it you are talking about a session file - encrypted hopefully - that is NOT in a tmp file used by others on a shared machine).

 

Anyway, in general if the payment facility is handled on the merchant’s machine (so at the point of entering the card it’s not showing your site in the URL) then your 100% fine.

 

If you are using the manual cc info just search and read the contributions, mine can be found at

http://www.oscommerce.com/community/contri...ry,1/search,cvv

 

I’ve seen others that also hide the central numbers etc - never tried it before but found this in 10 seconds and sounds like a good starting place

http://www.oscommerce.com/community/contri...ry,1/search,cvv

 

I would check them all out from here and make a short list...

http://www.oscommerce.com/community/contri...ry,1/search,cvv

 

Si.

Share this post


Link to post
Share on other sites
We have helped several companies through PCI compliance and the previous info is all accurate. Its deadly simple
  • just ensure you use SSL for all the checkout area (is possible)
  • use one of the merchants that handles the payment process or hold the "whole" card info for as little time as possible on the server or split it over multiple emails
  • destroy the payment info at your end as soon as the transaction is authorised or rejected

*** But most of all *** as soon as you can afford it, sign up for one of the systems that offers PCI server checks.

This will possibly highlight some horrid problems with your hosts to start with but 99% of the time they are simple problems to overcome. Just send the hosts a polite email explaining what you are doind, what is the problem is and Im sure they will help. This will ensure that hackers have a very hard time compromising your server and therefore accessing your data.

 

HTH

 

Si.

 

I was told by a scanning company, ControlScan, that as long as the credit card information is collected on my site, and then sent to the payment gateway (authorize.net in my case), my webhosting server needs to be PCI compliant. Even though I am not storing the credit card numbers in my database. Is this true?? My webhosting company is great, but there are certain pci compliance issues that they say they cannot satisfy on their shared hosting environment: certain mail-related vulnerabilities, where the login and password are not collected thru ssl, so are passed in cleartext.

Has anyone had a scan pass on a shared hosting environment? Which scanning company did you use? I suspect that this scanning company is extra strict.

I really, really don't want to change my webhosting company! But the scanning company told me that any merchant who is not PCI compliant by October, 2008, will no longer be able to process Visa cards.

 

Thanks in advance for any suggestions!

-Lori-

Share this post


Link to post
Share on other sites
mmm good point but if you install the latest version of your module does this not have a fix in for this? also I’ve been lead to believe this is a "grey" area or should I say "open to interpretation" and as long as its a very short amount of time and the tmp files deleted your fine (i take it you are talking about a session file - encrypted hopefully - that is NOT in a tmp file used by others on a shared machine).

 

Anyway, in general if the payment facility is handled on the merchant’s machine (so at the point of entering the card it’s not showing your site in the URL) then your 100% fine.

 

If you are using the manual cc info just search and read the contributions, mine can be found at

http://www.oscommerce.com/community/contri...ry,1/search,cvv

 

I’ve seen others that also hide the central numbers etc - never tried it before but found this in 10 seconds and sounds like a good starting place

http://www.oscommerce.com/community/contri...ry,1/search,cvv

 

I would check them all out from here and make a short list...

http://www.oscommerce.com/community/contri...ry,1/search,cvv

 

Si.

 

 

Those are all for manual collection of cc info, which means that you have to be completely PCI compliant. (If you are on shared hosting, then just forget it)

 

AND you are under no circumstances alowed to store CVV or CVV2 info!

 

Here is a quote from another tread:

 

IridiumCorp Feb 12 2008, 01:34 PM

 

There seems to be some confusion about PCI compliance and card details storage so I shall clarify. Being a payment gateway you can take this as the definitive answer.

 

A card merchant is any merchant who uses any device, be it instore, online, or over the phone. Every merchant who receives, transmits, or stores or all of the before mentioned MUST be PCI compliant. PCI compliance is a set of rules that governs how a merchant handles card details and if any merchant who takes card, regardless of the medium, has a security breach ( ie you have been having details emailed to you from you website and your computer gets stolen and the thief sells on the card details ) you are liable to be fined as a merchant - bank - whatever for each card record stolen.

 

So you can trade without being PCI compliant but if you get caught out you could face fines, being card scheme black listed, being personally black listed or all.

 

Clevelandweb,

 

Transactions originating over the web MUST be flagged as internet transactions. There is no other way to do it than through a gateway. If you take your card details from a website and process them manually through your terminal these are the following violations you are carrying out.

 

1. In proper transaction flagging.

2. Numerous PCI violations.

3. In proper MCC coding.

4. 3D Secure avoidance

5. Processing a card holder present transaction without giving a receipt at the point of transaction.

 

There are more but you get the point. Anyone of these is serious enough to have your merchant account yanked by the bank if they find out.

 

Now if you have a terminal you already have a merchant account. Getting that extended to take internet payments is as easy as a phone call. If your acquiring bank tries to charge you setup fees tell them no. I can set you up an IMA for nothing if they persist.

 

Once you have an IMA register it with a gateway. Tie your website into the gateway. Get yourself PCI compliant. Its easy and can be done in a couple of hours if you use a service like :

 

Scan Alert

 

Its 149 USD per year and is an invaluable exercise to go through. It makes sure you are trading safe. It makes sure if something goes wrong that you are protected from card scheme retribution.

 

Hope that clears this up once and for all.

 

IRC

Share this post


Link to post
Share on other sites

Using a third party gateway does not make you PCI Compliant. It is quite possible to hack a site to steal CC numbers on route to a third party gateway and therefore you must protect the site against such hacks.

 

1. CC Handling

 

In order to be PCI Compliant with regard to CC handling you must:

 

a) use SSL on pages that handle the CC number (which includes ADMIN)

B) encrypt the storage of CC numbers and any other customer identifying data eg. Billing Name and Address, if you store this data

c) never store the CVV number

 

For people storing CC data, it is not clear if you have to clear the CC number from your database once the payment has been processed. However unless your site uses a remember me feature which includes the card then it is best practice to do so.

 

 

2. CC Access

 

You need to control who has access to CC data. This means you control who has access to Admin. Each user is supposed to have a unique userid and password and their access should be logged.

 

 

3. Environment

 

In order to protect CC data the environment the site runs under has to be secure. All software has to be configured properly to ensure proper security controls and all software has to be up to date. For example, you should be running php V4.4.8 or the latest V5 release. But it is not only php, it is any software on the server that your site uses. All software has to be upgraded within 1 month of a new release. This requirement makes it almost impossible to be PCI complaint in a shared hosting environment.

 

 

 

I have not read any official PCI material where it says you cannot start a transaction online, as in collect teh CC details, and complete it offline. There are many business models where you do not know the total charge until after the customer has placed the order. Therefore it stands to reason that the collection of the card details occurs some time prior to the completion of the transaction.


Kym

Projects Director @ ozEworks.com

Share this post


Link to post
Share on other sites

1. You can not store the CVV/CVV2 3 digit security code. (Not even for a short periode)

 

Storing it and then deleting it after having processed the order is not alowed eighter.

 

 

2. If you are PCI compliant you can store the cc info, but its still advised that after you have processed the payment that you delete all except the 4 last digits.

 

 

If you are not PCI compliant you can not store the cc info not even for a short periode prior to processing it offline.

 

 

There are now several providers who offer the possibilety of storing the cc info for you in a PCI compliant enviroment on their secure servers, where you can access the info for offline processing at need.

Share this post


Link to post
Share on other sites

In the United Kingdom it depends on which Bank you use as to whether your site and the server it sits on has to be PCI compliant or not. In the USA you have to be PCI compliant - period!

 

1. You MUST have ssl.

2. You MUST NOT store credit card data in a shared hosting environment.

3. The website must be generally secure e.g. no 777 permissions anywhere.

4. Any files with .bak or similar file extensions - get rid of them. They are a FAIL.

5. The server your website is on must pass the scan as well.

 

Vger

Share this post


Link to post
Share on other sites
Guest

I'm PCI Compliant. I use OSCommerce MS2, have a gateway merchant, bank holds all the cc info, use control scan to thouroughly check my dedicated server, and have SSL. It's a pain in the ass to get compliant, but if you don't do it, you won't be able to do business soon so you might as well go through the process sooner rather than later. Thank god the hosting company takes care of all the security and maintenance on my server so they hopped to it when control scan said "do this" or "do that". *laughing*

Share this post


Link to post
Share on other sites
Easy way to be pci compliant...

 

1. Use osCommerce RC1

 

2. Use SSL in the checkout process.

 

3. Use a PCI compliant payment gateway company with a sutible osCommerce payment module.

 

not only, as you store should be installed on dedicated server or dedicated environment, as some web host don't bother about security of the clients websites.


Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!

8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.

Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.

Any issues with oscommerce, I am here to help you.

Share this post


Link to post
Share on other sites

Hi, All!

 

I just noticed this thread, and thought I'd put in my 2 cents. I designed an osCommerce catalogue this past spring for my existing business, and found that I had to become PCI compliant in order to hook it up with my payment processor, Moneris.

 

My site is hosted, with SSL, on a shared server with Bell Hosting.

 

I was worried about the PCI system scan, but my setup passed, and I got hooked up with Moneris's eSelect system, and everything proceeded well.

 

If you would like more details, I posted them here: PCI Compliance Inspection - Anyone gone through it?

 

My only concern now is that stricter PCI regulations apparently came into effect on July 1, and since then, I have not been passing the monthly scans. This has not affected my operations, as Moneris does not require frequent proof of compliance (perhaps eventually they will request a current certificate?). But in the mean time, I'd like to get up to snuff again.

 

My PCI-certifier is Trustwave (Trustkeeper). They provide a gratifyingly detailed report about their scans, which identified the areas of vulnerability. I forwarded the results to Bell Hosting. They replied that their servers were indeed compliant, and explained that Trustkeeper's protocols included tests that were irrelevant to my particular site.

 

If I wished to pursue this (as I would be obliged to if Moneris required it), I could get involved with Trustkeeper's appeals process, where they examine the results on a case-by-case basis. I may end up doing this in future. Or, Bell Hosting may tighten up its security to the point that it passes all scans, irrelevant or not.

 

I'm sure the hosting folks out there are feeling most frustrated. PCI-certification scans are not standardized, and some companies are much more conservative than others. Then again, some hosting companies are much more lax than others. This leaves folks like us merchants smack dab in the middle.

 

I guess it's all part of the process of using newish technology to perform somehat risky business. Maybe it will be easier for our children and grandchildren.

 

Happy to say I'm still enjoying doing business! :)

 

~Wendy

Share this post


Link to post
Share on other sites

×