PCI Compliance with OSCommerce

[skipunda]

So, I have to register our website on behalf of the business to be PCI compliant. In short, PCI means that the originating business is indemnified against virtual fraudulent activity. I'm not talking about a boy with a stolen card but a boy with a computer sitting on a virtual gateway between you and your merchant bank (where your money goes).

 

All businesses should have PCI compliance else they will be billed the total amount $$$ hacked by aforementioned boy/girl.

 

If you take a look at the following site you will get a brief summary of each aspect you must be able to check in order to 'comply'.

http://corporate.ticketnetwork.com/pci-compliance.aspx

 

Now my question: How does one go about being compliant? What technology is required e.g. SSL etc etc.

 

My sites vital info -

- Version is running osCommerce 2.2-MS2

- No card information is entered on the site

- Only details of customer addresses are stored on the site

- We do not have SSL

- No data whatsoever is passed back to our site from our bank except whether it was a success or error. If success, the order is processed, declined is deleted etc etc

- we take what I would consider a medium amount of transactions

 

So, what are your thoughts on this. Has any OSCommerce sites been certified. If so, how?

[skipunda]

just to follow this up.....

 

Because all my card details are actually entered in to our banking system and are not passed (or parsed) or held in our local databases, we do not technically have to put OSCommerce as our Point of Sale platform. We can select our banking CPI instead.

 

Just in case anyone else stumbles across this

[♥toyicebear]

Aslong as no card info is entered on your site, then you are not required to be PCI compliant.

 

 

 

If the card information is in any way entered, transmitted or passed on/through your site then you are required to be PCI compliant.

 

 

Example 1.

 

You use paypal standard as your only payment method , the customer is redirected to the PayPal server and enters their payment information there... You are not required to be PCI compliant.

 

Example 2.

 

You are using PayPal pro as your payment metode, the customer inputs their credit card info on your site while the details are actually transmitted through to paypal in the background, then you will need to be PCI compliant.

[web-project]

Aslong as no card info is entered on your site, then you are not required to be PCI compliant.

what about if the payment details collected and stored encrypted way.

 

P.S. I do research how to provide the hosting with PCI compliant. I know how to create very secure enriroment for oscommerce store.

[♥toyicebear]

what about if the payment details collected and stored encrypted way.

 

P.S. I do research how to provide the hosting with PCI compliant. I know how to create very secure enriroment for oscommerce store.

 

 

Does not mather that much, encryption is just a small part of PCI compliance....

 

The server environment, physical access to server, physical access logs, data access logs and much more also comes into account.

[DriWashSolutions]

Does not mather that much, encryption is just a small part of PCI compliance....

 

The server environment, physical access to server, physical access logs, data access logs and much more also comes into account.

 

One of the issues that I'm having is that the login script needs to be on the https: rather than http: - I seached the contribs, but don't see anything for a secure login box. How is everyone getting by with this issue?

Edited May 8, 2009 by DriWashSolutions

[♥toyicebear]

One of the issues that I'm having is that the login script needs to be on the https: rather than http: - I seached the contribs, but don't see anything for a secure login box. How is everyone getting by with this issue?

 

 

If the loginbox is set up correctly the form is called via https. (Provided that your oscommerce installation is configured to use ssl)