Jump to content

Archived

This topic is now archived and is closed to further replies.

trainwatcher

PCI DSS Compliance

Recommended Posts

I havent found any discussion about PCI DSS compliance on here. Am missing something?

 

I currently have a none compliant site with a number of COMODO scan FAILS showing IP address vulnerabilities as: "Non-persistent Cross-Site Scripting Vulnerability http (80/tcp)" and others referring to XSS code.

My host thinks these are all oSC related.

What does these vulnerabilities mean and what might the remedies be?

 

Any advice gratefully received! Our compliance deadline looms.

Thanks

Share this post


Link to post
Share on other sites
I currently have a none compliant site with a number of COMODO scan FAILS showing IP address vulnerabilities as: "Non-persistent Cross-Site Scripting Vulnerability http (80/tcp)" and others referring to XSS code.

My host thinks these are all oSC related.

correct, see the following article:

http://en.wikipedia.org/wiki/Cross-site_scripting

 

the above issue can be easily fixed, search on the forum for the security modules


Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!

8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.

Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.

Any issues with oscommerce, I am here to help you.

Share this post


Link to post
Share on other sites

I havent found any discussion about PCI DSS compliance on here. Am missing something?

 

There is a discussion here that touches on it

 

I currently have a none compliant site with a number of COMODO scan FAILS showing IP address vulnerabilities as: "Non-persistent Cross-Site Scripting Vulnerability http (80/tcp)" and others referring to XSS code.

My host thinks these are all oSC related. What does these vulnerabilities mean and what might the remedies be?

 

Any advice gratefully received! Our compliance deadline looms.

Thanks

 

My guess is that COMODO has ran a few tests to see if osCommerce produces javascript alert results which earlier versions will do because they are now outdated. Try out osC_Sec (see link in my signature), it will ban most XSS type attacks common to osCommerce.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Thanks. I understand the nature of the problem a little more. BTW how can I tell which version of osc I am using? Seems any remediation will need to take this in to account.

Share this post


Link to post
Share on other sites

The most consistent way to check osCommerce version is to open the /includes/application_top.php file and look for the line directly under this:

 

// define the project version

 

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

look in application top (about line 38)

 

I originally passed compliance with 2.2RC2a without any scripting problems

 

I have since passed compliance with 2.3.1 without any problems

 

Possibly the reason why PCI DSS compliance is not discussed much on the forum is because a lot of members are under the false impression that it costs mega bucks to achieve - so no point in discussing :-"


My store is currently running Phoenix 1.0.3.0

I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 )

I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary

Share this post


Link to post
Share on other sites

 

Possibly the reason why PCI DSS compliance is not discussed much on the forum is because a lot of members are under the false impression that it costs mega bucks to achieve - so no point in discussing :-"

 

Maybe or perhaps folk are using payment modules that make a transaction off site. I think PayPal/Sage do this which means the liability is shifted away from the site owner? Is that the case?

Otherwise I dont know why people are bothering. The acquiring facilities are puting up charges for none compliance all the time. Next they will shut down merchant accounts I suppose.

:huh:

Share this post


Link to post
Share on other sites

look in application top (about line 38)

 

I originally passed compliance with 2.2RC2a without any scripting problems

 

I have since passed compliance with 2.3.1 without any problems

 

Possibly the reason why PCI DSS compliance is not discussed much on the forum is because a lot of members are under the false impression that it costs mega bucks to achieve - so no point in discussing :-"

 

 

PCI DSS compliance for being able to "transmit" cc transaction via your site is easy to get and not expensive at all.

 

The main problem is that someone thinks this is enough to also store the cc info in the db, for those who wish to store cc info in the db and manually process it the process to be fully PCI DSS compliant is quite a bit more complex and expensive to do.

Share this post


Link to post
Share on other sites

PCI DSS compliance for being able to "transmit" cc transaction via your site is easy to get and not expensive at all.

 

This is true - about $60 - $150 per year (£40 - £100) for level 4

 

The main problem is that someone thinks this is enough to also store the cc info in the db, for those who wish to store cc info in the db and manually process it the process to be fully PCI DSS compliant is quite a bit more complex and expensive to do.

 

I can not think of a valid reason why anyone should want to store cc info in their own database whether on line or just on their computer, with my gateway I can have repeating payments, delayed payments, etc.

 

Anyone that thinks that if they take cc details and process them manually they do not have to be PCI DSS compliant had better start to think again - you now have to be compliant whatever means of handling cc you use - online, MOTO or terminal.

 

Most retailers/merchants will only acquire level 4 - 2 compliancy except in rare cases only payment gateways will have level 1


My store is currently running Phoenix 1.0.3.0

I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 )

I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary

Share this post


Link to post
Share on other sites

Late with everything as usual. For the moment I am thinking of reverting to VT payment processing only and switching off my websites CC API or at least switching to something less risky like allowing customers to go to PayPal (who will charge me more I know). Onthe other hand I do not store CC details on either my machine or DB. OSC_SEC.PHP looks like an easy install but doesnt mention XSS from my brief scan. Any more detail would be appreciated as to how XSS can be remediated. Thanks!

Share this post


Link to post
Share on other sites

You still have to be compliant to use VT as I said above, PayPal is not the answer if you want to accept CC customers, especially in the UK do not trust PayPal.

 

It would be better to use a payment gateway (as well as cheaper)

 

 

What is the version of your osC?


My store is currently running Phoenix 1.0.3.0

I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 )

I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary

Share this post


Link to post
Share on other sites

look in application top (about line 38)

 

I originally passed compliance with 2.2RC2a without any scripting problems

 

I have since passed compliance with 2.3.1 without any problems

 

Possibly the reason why PCI DSS compliance is not discussed much on the forum is because a lot of members are under the false impression that it costs mega bucks to achieve - so no point in discussing :-"

 

 

Xpajun, could you explain to me how much it cost you to become PCI compliant? Monthly fees? Cost of an SSL certificate?

 

I'm going to be building a v2.3.1 website in the next month and am currently trying to figure out what it will take to get my site secured. In the beginning we will only be accepting Paypal while we discuss the options of payment gateways so that I can be slightly covered before venturing into using something like Authorize.net.

 

I appreciate the help as this is a really serious aspect to an eCommerce site.

Share this post


Link to post
Share on other sites

Xpajun, could you explain to me how much it cost you to become PCI compliant? Monthly fees? Cost of an SSL certificate?

 

I'm going to be building a v2.3.1 website in the next month and am currently trying to figure out what it will take to get my site secured. In the beginning we will only be accepting Paypal while we discuss the options of payment gateways so that I can be slightly covered before venturing into using something like Authorize.net.

 

I appreciate the help as this is a really serious aspect to an eCommerce site.

 

 

Hi Bret,

 

First off I want to make clear that I'm in the UK - there is no reason why similar costs don't apply elsewhere in the world (after all Elavon and Trustwave are international companies) but would certainly be an incentive to make you check. ;)

 

Two quotes I made on a post discussing alternatives to PayPal:

 

The official statistics show that 33% of people that shop on line use PayPal

 

That is why I started using a card payment gateway - so the other 67% of people that shop on line could buy at my store

 

I use PayPoint as my gateway and Elavon as my merchant banker - payment via these currently cost me less than half than the fees on PayPal

 

It's certainly worth looking into - but don't drop PayPal - it doesn't cost anything even if it's not used

 

Hi Phil yes it is, MBs in the UK have suddenly realised that they are losing business to the likes of PayPal and are dropping setup fees - pre PayPal fees were about £450 including the audit - mine cost £50 - my compliance is PCI level 4 (as far as I am aware) - the hoops you have to jump through are neither too high nor too small.

 

PayPoint as the gateway, processes all card payment and is PCI level one compliant.

 

This is my first year (should have done it long ago but was put off by the talk of high fees) so what it will cost for any security audit I do not know although none have been charged in the last 4 months.

 

I do have to pay £40 per month (£20 to each) for processing whether processing takes place or not but this does include any processing fees that occur up to a set amount (i.e PayPoint charges you £20 but that includes the first 350 transactions - Elavon's £20 includes all transaction fees up to that amount at the rates you negotiate with them when you start) that can work out as little as £0.21.5 per transaction or up to about 2% - 2.5% of the transaction value depending on the type of card used. I think when I first started I worked out that I had to take via card services £850 per month to break even with PayPal.

 

Two great sellers with card services - We NEVER hold your credit card details and you DON'T have to pay with PayPal ;)

 

 

The thing is, many professionals in the market tend to give you horror stories of what is needed in order to sell you their product, if you pluck up the courage to shop around you tend to be pleasantly surprised - I know I was

 

Further to these two quotes I have recently passed level 4 PCI DSS Compliance with Trustwave this cost me £40 via Elavon, which is a yearly recurring fee and covers:

 

• An on-line Compliance Questionnaire

• (4) Quarterly Vulnerability Scans

• Additional Directed Scans to validate that a vulnerability has been corrected or for testing purposes

 

 

Notes:

 

PayPoint is, or was, SecPay - well known as a payment gateway.

 

PayPoint also have PayCash where your customers can pay cash for your goods at any one of PayPoint's 20,000 outlets in the UK (very often in the corner shop at the end of your customer's street)

 

When negotiating your fees with your merchant bank, get the best rate you can, as it can be difficult (so I have been told) to get these changed once you have signed up. This rate will be based on your monthly/yearly sales, both numbers and average price per item. Merchant also like to see your previous year sales history from your current gateway, in most people's case when starting up this will more than likely be PayPal.

 

You will also need a business bank account for the funds to be transferred into - shop around for these as well, Santander's on-line business account is currently free in the UK, other banks may offer a similar deal


My store is currently running Phoenix 1.0.3.0

I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 )

I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary

Share this post


Link to post
Share on other sites

We have OS commerce 2.2. We recently got the following email regarding our PCI compliance:

 

We will be able to move your account to a PCI compliant server, pci01sd. Currently we have only one PCI compliant server but unfortunately that server does not support ASP or JSP. So if account moved to that server, your ASP scripts won't be working in PCI compliant server any more. Please let us know or confirm if you would still wish to move your account to PCI compliant server.

Does this program use ASP or JSP?

 

Thanks.

Share this post


Link to post
Share on other sites

×