Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

SSL and PCI compliance

william.n

By william.n
in Security

Recommended Posts

william.n

william.n

Posted
Posted

Hi All

 

My e-commerce provider wants to charge £400 (normally £900!) to make my site PCI compliant and £90 for SSL.

 

The SSL charge seems about average but I've seen PCI compliance testing for as little as £50... what's the difference between what he is offering and the £50 testing? (and nobody say £350 :-)

 

Here's the website for the PCI compliance testing:

 

http://www.host-it.co.uk/hosting/additional_options/PCI_Compliant_Scanning.asp

 

Regards

 

Bryan

Link to comment
Share on other sites
JR Sales Company

JR Sales Company

Posted
Posted

Hi All

 

My e-commerce provider wants to charge £400 (normally £900!) to make my site PCI compliant and £90 for SSL.

 

The SSL charge seems about average but I've seen PCI compliance testing for as little as £50... what's the difference between what he is offering and the £50 testing? (and nobody say £350 :-)

 

Here's the website for the PCI compliance testing:

 

http://www.host-it.co.uk/hosting/additional_options/PCI_Compliant_Scanning.asp

 

Regards

 

Bryan

 

If you are using a third party credit card processing system like PayPal, you don't need to worry about PCI compliance. Besides, osCommerce is not PCI compliant out of the box, and making it so could be costly if you have to hire someone to code it.

You only need to worry about this if you are planning on processing credit cards live on your own site, and are storing CC numbers and such.

Link to comment
Share on other sites
  • 2 weeks later...
johnnybebad

johnnybebad

Posted
Posted

if you use paypals web pay pro then you need to be pci complainat according to paypals website, but not if you use paypal express or stndard paypal modules.

 

paypal have a link offering free PCI scans on there site which takes you mcafee.

 

I am in the process of setting this up and have done two scans so far which cost nothing, not sure how this works once the site passes the security checks for pci.

 

The issues I appear to have now which arent many and are low risk, are to do with the way the ssl setup, openssl and php versions in use on the server, when thats sorted free(so far at least) by my hosting company I hope that will be pretty much it.

 

ssl certs arent expensive either. about £60 including setup and dedicated ip address.

 

I do have the security mods in place and I have an extremly heavily modified site.

Getting better with mods but no programmer am I.

Link to comment
Share on other sites
mdtaylorlrim

♥mdtaylorlrim

Posted
Posted

 

I am in the process of setting this up and have done two scans so far which cost nothing, not sure how this works once the site passes the security checks for pci.

 

It took me about 10 scans to be completely PCI compliant. McAfee Security compliance was 100% on the first scan, but doing the PCI scans (even though I am not required) revealed a lot of information about my server to me. There is a link you can select to download your PCI Compliance reports once you finally get there.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites
johnnybebad

johnnybebad

Posted
Posted

It took me about 10 scans to be completely PCI compliant. McAfee Security compliance was 100% on the first scan, but doing the PCI scans (even though I am not required) revealed a lot of information about my server to me. There is a link you can select to download your PCI Compliance reports once you finally get there.

 

 

I have just had my third scan, down to 8 serverity ones and 3 severity threes, to be compliant I have to get rid of the threes.

 

Cross site scripting being one of them, just dont exactly undertsand why its showing me what it is showing me as it suggests to me the way i ead it two possible sources of the issue, would you mind if I pmd you about it to see what you think?

 

 

also which cross scripting mod is the best? and how does it work? as from the data i have the risk is from a very specific area but the cross scrpting mod is general?

Getting better with mods but no programmer am I.

Link to comment
Share on other sites
johnnybebad

johnnybebad

Posted
Posted

Just to let you know that scan 6 passed the pci compliance test by McAfee.

 

My host company helped with the server side of things and I did a few changes as outlined on the forums and lone behold it passed. mainly server side software, php and open ssl versions were old and needed updating etc.

 

The hardest part was understanding what it was getting at first.

 

The cost was only that I needed for the ssl certificate deicated ip and installation, the certificate wasnt an expensive one by any means (cheap raipd ssl), Scans were free, support was free, time and effort a fewhours spread over a few days for me. very happy, but I guess it doesnt stop there as new threats happen every day.

 

 

 

Yipppppeeeeee

Getting better with mods but no programmer am I.

Link to comment
Share on other sites
johnnybebad

johnnybebad

Posted
Posted

And if I remember right, PCI compliance requires that you pass the scan each quarter... It's only just begun.

 

 

lol yes thats right, but if it is as easy as its been (wasnt saying that at first) then I cant see it being a major issue, my host company have sorted everything there end and havent charged anything extra for doing so so thats a big plus, and the changes I had to do were minor and I could do them myself with minimum effort, and you get three days(72 hours) to sort out none compliances.

 

So I guess as soon as you get the none compliance you have to move quickly.

Getting better with mods but no programmer am I.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...