Jump to content
Sign in to follow this  
skipunda

PCI Compliance with OSCommerce

Recommended Posts

So, I have to register our website on behalf of the business to be PCI compliant. In short, PCI means that the originating business is indemnified against virtual fraudulent activity. I'm not talking about a boy with a stolen card but a boy with a computer sitting on a virtual gateway between you and your merchant bank (where your money goes).

 

All businesses should have PCI compliance else they will be billed the total amount $$$ hacked by aforementioned boy/girl.

 

If you take a look at the following site you will get a brief summary of each aspect you must be able to check in order to 'comply'.

http://corporate.ticketnetwork.com/pci-compliance.aspx

 

Now my question: How does one go about being compliant? What technology is required e.g. SSL etc etc.

 

My sites vital info -

- Version is running osCommerce 2.2-MS2

- No card information is entered on the site

- Only details of customer addresses are stored on the site

- We do not have SSL

- No data whatsoever is passed back to our site from our bank except whether it was a success or error. If success, the order is processed, declined is deleted etc etc

- we take what I would consider a medium amount of transactions

 

So, what are your thoughts on this. Has any OSCommerce sites been certified. If so, how?

Share this post


Link to post
Share on other sites

just to follow this up.....

 

Because all my card details are actually entered in to our banking system and are not passed (or parsed) or held in our local databases, we do not technically have to put OSCommerce as our Point of Sale platform. We can select our banking CPI instead.

 

Just in case anyone else stumbles across this

Share this post


Link to post
Share on other sites

Aslong as no card info is entered on your site, then you are not required to be PCI compliant.

 

 

 

If the card information is in any way entered, transmitted or passed on/through your site then you are required to be PCI compliant.

 

 

Example 1.

 

You use paypal standard as your only payment method , the customer is redirected to the PayPal server and enters their payment information there... You are not required to be PCI compliant.

 

Example 2.

 

You are using PayPal pro as your payment metode, the customer inputs their credit card info on your site while the details are actually transmitted through to paypal in the background, then you will need to be PCI compliant.

Share this post


Link to post
Share on other sites
Aslong as no card info is entered on your site, then you are not required to be PCI compliant.

what about if the payment details collected and stored encrypted way.

 

P.S. I do research how to provide the hosting with PCI compliant. I know how to create very secure enriroment for oscommerce store.


Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!

8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.

Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.

Any issues with oscommerce, I am here to help you.

Share this post


Link to post
Share on other sites
what about if the payment details collected and stored encrypted way.

 

P.S. I do research how to provide the hosting with PCI compliant. I know how to create very secure enriroment for oscommerce store.

 

 

Does not mather that much, encryption is just a small part of PCI compliance....

 

The server environment, physical access to server, physical access logs, data access logs and much more also comes into account.

Share this post


Link to post
Share on other sites
Does not mather that much, encryption is just a small part of PCI compliance....

 

The server environment, physical access to server, physical access logs, data access logs and much more also comes into account.

 

One of the issues that I'm having is that the login script needs to be on the https: rather than http: - I seached the contribs, but don't see anything for a secure login box. How is everyone getting by with this issue?

Edited by DriWashSolutions

John Skurka

Share this post


Link to post
Share on other sites
One of the issues that I'm having is that the login script needs to be on the https: rather than http: - I seached the contribs, but don't see anything for a secure login box. How is everyone getting by with this issue?

 

 

If the loginbox is set up correctly the form is called via https. (Provided that your oscommerce installation is configured to use ssl)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×