Jump to content

Archived

This topic is now archived and is closed to further replies.

joer80

PCI-DDS compliance certification from osCommerce?

Recommended Posts

My merchant is asking that I provide them with a PCI-DDS compliance certification from

Both my host, and OSCommerce.

 

Is this necessary? How would I contact osCommerce?

Share this post


Link to post
Share on other sites

You won't get anything from osC

 

YOU installed the software - it's your responsibility now.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

You won't get anything from osC

 

YOU installed the software - it's your responsibility now.

 

I agree, but what do you tell the merchant?

Share this post


Link to post
Share on other sites

I'd get in contact with the merchant again...it's likely they gave you incorrect info. Our merchant has a 3rd party that runs the PCI compliance checks against the store and reports the findings to them. I'm not aware of any cart software that will offer you any type of PCI compliance certs.

 

Peace,

Chris

Share this post


Link to post
Share on other sites

You will need to run a PCI vulnerability scan on your site and then you will have to take care of any software issues while the hosting company should take care of the server/hosting issues.

 

You can find more info on the PCI Compliance at: www.pcicomplianceguide.org

Share this post


Link to post
Share on other sites

The PCI DSS compliance will alert when any unplanned changes are detected for server software using file-integrity monitoring, or firewalls and intrusion protection systems, and any other network device within your 'Compliant Infrastructure'.

Share this post


Link to post
Share on other sites

There's no way that osC itself could issue any certificate of compliance. You have the full source and could have done anything to it, including changes that make it extremely vulnerable to hacks. After you install (and probably after any code changes) you would have to pay someone to look at it and make sure it's in compliance.

 

Frankly, unless your volume is so large that accepting credit cards through a payment gateway/merchant account makes economic sense (and more than offsets the extra costs of PCI-DSS compliance scans), you should use a Third Party payment system (such as PayPal) to process credit cards. The extra costs to go through the PCI-DSS hassle outweigh the higher processing fees until you get pretty big. Note that some PayPal plans have the customer credit card information go through your site (they act as a payment gateway/merchant account, but the customer stays on your site), and you may have to be PCI-DSS compliant in that case.

Share this post


Link to post
Share on other sites

×