Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How can you tell if your site is PCI compliant?


WebDev22

Recommended Posts

PCI Compliance has been a topic here this week and I'm trying to figure out the best way to determine if this needs to be addressed for the site. The site is running v2.2 RC2a. Because all credit card information, except for the security code on back, are all stored in the database. I would think that the site is not PCI compliant, but wanted to make sure I understand fully. So, if a site contains the entire credit card number, is it not compliant?

 

If not, what would be the best way to resolve this? This is a somewhat unique store in that they don't process credit cards in real time. They prefer to run the charges manually at their store. We also have an OpenCart store that sends half the credit card number to the database and the other half to an email.

Link to comment
Share on other sites

@@WebDev22

 

You can have an audit done, there are many companies that offer the service. Google for them

 

However, I can tell you from experience that not only is storing the credit card information or any part thereof NOT PCI compliant, it is also ILLEGAL in most all of North America. Given the information you provided, in no way is the website, or the company as a whole, PCI DSS compliant.

 

 

 

Chris

Link to comment
Share on other sites

If you're using the cc.php module, as it sounds like you probably are, you are not in compliance and may even be illegal. Note that auditing and certification for PCI-DSS compliance can be quite expensive -- you may want to consider changing over to a third-party payment system (PayPal, et al.) where you don't have to be in PCI-DSS compliance, because your site never sees the credit card numbers. Simple SSL for passwords and sensitive user information will be enough. If you have an in-store POS system for credit cards, there are services which (with your bank's permission) will handle the credit card information for you to manually enter into the POS system, without your being in possession of CC numbers on your website. You may want to look at them. In either case, your customers will see that they're leaving your site to make payment.

 

As long as you're making system changes, consider upgrading to osC 2.3.3 to get additional security and bug fixes. This would involve an installation of fresh 2.3.3 and importing/upgrading your database into the new system, moving over product images, installing the add-ons you need, etc. Make a sandbox to play in on your server (you can password protect it) and play with a copy of your store until you're satisfied that you've got it right. Then you can move it all over to the production side (after backing up your existing store and database in case something goes wrong).

Link to comment
Share on other sites

Thanks for the information and advice. Is there an extension for osCommerce that will provide a PCI-Compliant way to handle credit card transactions manually? In the OpenCart store, half the number is stored, and the other half is sent via email.

Link to comment
Share on other sites

@@WebDev22

 

 

Handling credit card transactions from a website cannot be handled manually, it requires automated processing from a PCI DSS compliant processor. If the store owner can see the customers credit card information or any part of it, then they are not PCI DSS compliant and once again, it is illegal in most of North America.

 

 

 

Chris

Link to comment
Share on other sites

To become PCI complaint you need to do much more than configuring your website shopping cart. Look at this basic outline of requirements authorizenet has posted: www dot authorize dot net/resources/pcicompliance/

 

For example checkout requirement #6:

'Develop and maintain secure systems and applications'

or requirement #10

'Track and monitor all access to network resources and cardholder data'

or requirement #12

'Maintain a policy that addresses information security'

 

 

To document to Authorizenet's satisfaction that you are actually doing these things, Authorizenet requires you to answer a lengthy questionnaire and provide written documentation. For example, the questionnaire section for requirement #12 alone is quite lengthy, and you will need not only provide Authorizenet with written policies, but document that relevant personnel within your organization are receiving training on a regular basis.

 

That's just one section. No website shopping cart, or contribution on OSCommerce provides that.

 

And Authorizenet is going to look at your answers, all several hundred of them, before they accept that you are PCI complaint.

 

And what happens if you don't become PCI complaint to Authorizenet's satisfaction? They charge you $30 extra a month, and are happy to do business with you anyway. So the best most of us are going to be able to realistically do is keep the OSCommerce shopping cart up to date on security procedures, never store credit card data, and pay the $30 each month.

Oscommerce site:

 

 

OSC to CSS, http://addons.oscommerce.com/info/7263 -Mail Manager, http://addons.oscommerce.com/info/8120

Link to comment
Share on other sites

@@WebDev22

 

 

Handling credit card transactions from a website cannot be handled manually, it requires automated processing from a PCI DSS compliant processor. If the store owner can see the customers credit card information or any part of it, then they are not PCI DSS compliant and once again, it is illegal in most of North America.

 

Chris

 

They have a brick and mortar as well and handle credit card transactions in the store, as well as faxed orders. Is this really true that if they process credit cards manually, they're not compliant?

Link to comment
Share on other sites

They have a brick and mortar as well and handle credit card transactions in the store, as well as faxed orders. Is this really true that if they process credit cards manually, they're not compliant?

If someone walks in your store and swipes a credit card on your reader or hands it to you and you swipe it on the reader provided to you by your credit card processor, then that has nothing to do with website PCI compliance being discussed here. But if you are using a website shopping cart to process credit card orders, then the fact that the computer you are using to access that shopping cart is sitting in your brick and mortar store instead of your home office means nothing.

 

 

I was just asked, "What happens if we leave everything as-is? We haven't had any issues in 10 years of being in business online."

As long as you are not entering credit card info into your database, then most likely the worse thing that will happen is that you'll end up paying extra for online credit card processing if you are not already, but if you get hacked then your customers will not have their credit card numbers stolen.

Oscommerce site:

 

 

OSC to CSS, http://addons.oscommerce.com/info/7263 -Mail Manager, http://addons.oscommerce.com/info/8120

Link to comment
Share on other sites

@@WebDev22 If the credit card company the site deals with requires it to be PCI compliant, they will provide a scan, from whatever scanning company they use, that lists what it takes to accomplish that. The shop owner also has to complete a questionnaire that asks if you store cc data, among other things. It is perfectly OK to store cc data (try checking out on Amazon so see that) but you have to acknowledge certain things, like the cc data is secure. From what I understand, there may be local laws overriding that for the State you are in but I don't know any more than that. If you do store cc data and there is a problem (it gets stolen) and the cc company decides to go after you, they would have to prove the cc data was stolen from your site, which could be near impossible weeks, if not months, after it occurred.

 

Obviously, no one wants that to happen so you should be proactive and have a scan ran yourself. Godaddy has an option that is ridiculously cheap and it provides a very thorough scan (it takes about three months to get the whole website). That scan, any scan, won't find all problems, of course, so the site should be secured with known fixes. But this goes beyond PCI compliance and should be done for any shop.

 

I don't claim to be an authority on PCI so take the above as a guide only.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

I was just asked, "What happens if we leave everything as-is? We haven't had any issues in 10 years of being in business online."
Q: What are the penalties for noncompliance?

A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business.

It is important to be familiar with your merchant account agreement, which should outline your exposure.

http://pcicomplianceguide.org/pcifaqs.php

Link to comment
Share on other sites

Your online store is NOT compliant if storing complete 16 digit numbers in plain text (or encrypted IMHO)

 

There are also some $$ limitations for small store owners as to how compliant you need to be.

1. You can NEVER store the CVV number.. ever..

2. it is my understanding that if you do under a certain $$ monthly in volume in your ONLINE store you may store a portion or encrypted cc number until it has been offline processed.. WITHIN A REASONABLE AMOUNT of time.. 3 days is reasonable (Fri PM - Monday mid-day for instance.. until the end of the month is not..

3. if you are processing offline, your module should be splitting the CC number sending a portion to your email

and..

4. you should have check boxes to COMPLETELY remove the remaining CC info after you have run the card.

5. the card# should NEVER be stored in plain text COMPLETE in the database

6. access to any CC info and or the customers info, MUST be on an extremely restricted "needs to know" basis.. not everyone in the shipping room and the front office..

 

It is my understanding that the consortium of VISA, MasterCard, AmEx etc have stated if you are found out of compliance there can be fines up to and including your business NEVER being allowed to have a merchant account with any of the big cards..

 

Depending on the volume of business you do, you can look into a encrypted module and/or a split CC module. You need to ensure your module never stores the CVV and it has the ability to completely remove the remaining cc info from the server at the speed of a click. Obviously the other option is convincing the store owner to immediately process the payment via PayPal or Authorize.net type of merchant account services.

Debbie D
Franklin County, VA "Moonshine Capitol of the World"
osCmax Mobile Template oscmaxtemplates.com

Link to comment
Share on other sites

Forget the split module. If you ever see the credit card number split or not, or at anytime you are able to retrieve the number unencrypted or not, for any length of time, then you are in essence storing that number.

Oscommerce site:

 

 

OSC to CSS, http://addons.oscommerce.com/info/7263 -Mail Manager, http://addons.oscommerce.com/info/8120

Link to comment
Share on other sites

Lots of good advice here. It appears these are the options:

  1. Do nothing. Downside: Risk getting hacked.
  2. Hire company to conduct audit. Downside: Significant cost and the fact that it will eventually reveal we're not compliant.
  3. Do whatever it takes to become fully PCI-DSS compliant. Downside: Cost and time.
  4. Use third-party payment system, such as PayPal. Downside: Limits payment options. Also, PayPal is not merchant-friendly.
  5. Consider E-Path Module. Downside: Uncertain it is the right solution. It would require some time to research.
  6. Look at "split" module. Downside: Still not considered PCI compliant.
  7. Have cardholder info encrypted in database. Downside: Still not considered PCI compliant.

Link to comment
Share on other sites

For 5 USD a month you can use PayPal Advanced... It gives the customer the impression of never leaving your site when paying by CC while keeping you totally PCI compliant. https://www.paypal.com/webapps/mpp/paypal-payments-advanced

Link to comment
Share on other sites

It really says something when a bunch of professionals give differing advice about PCI. If a bunch of professionals don't know the correct rules, how is a shopowner supposed to know what to do.

 

Another point of view;

 

Anything on the reverse of a card must never be stored. Anything else CAN be stored, no problem - however it must be stored for a business reason (eg, order taken on saturday night, no-one to process it until 10am monday).

 

1. Card Number

Can be stored (in full) but MUST be encrypted.

 

2. Cardholder Name

Can be stored UNencrypted

 

3. Service Code

Can be stored UNencrypted

 

4. Expire and Start Dates

Can be stored UNencrypted

 

5. Magnetic Strip Data

Can NOT be stored under any circumstance even for a microsecond.

You are very unlikely to get this data anyway doing business online.

 

6. CVV number

Can NOT be stored under any circumstance even for a microsecond.

 

7. PIN number

Can NOT be stored under any circumstance even for a microsecond.

 

So, all we need to be concerned about is encryption of the Card Number, anything else is unimportant. This storage to be considered secure may be;

 

- cryptography (rendering the number unreadable)

- segmentation (as is done in the CC module)

- tokenizing (insert a "password" to get the CC details).

 

So, wny not do all of these? The CC module is quite close. My -suggestion- would be to;

 

a. Use the segmentation to have only a piece of the number stored

b. Encrypt that stored piece

c. Have some sort of password (known only to the shopowner) to unencrypt the stored number

 

And then;

 

d. Have a button to press that says "delete stored CC data for this order" once the payment has been taken.

 

Seems logical, seems straightforward. Who can or will take up the idea and create the module ready for use ?

Link to comment
Share on other sites

@@WebDev22

 

if you're looking for a simple solution then stick with paypal, granted, they are not really merchant friendly and apply rather high fees on transactions, but on the other hand they take care of all the hassles concerning cc processing and being PCI compliant, so that means all the less hassle for you.

 

I understand you are US based, so you can use paypal advanced, as suggested by toycebear, which seems like a good option to me.

~ Don't mistake my kindness for weakness ~

Link to comment
Share on other sites

Lots of good advice here. It appears these are the options:

  1. Do nothing. Downside: Risk getting hacked.
     
  2. Hire company to conduct audit. Downside: Significant cost and the fact that it will eventually reveal we're not compliant.
     
  3. Do whatever it takes to become fully PCI-DSS compliant. Downside: Cost and time.
     
  4. Use third-party payment system, such as PayPal. Downside: Limits payment options. Also, PayPal is not merchant-friendly.
     
  5. Consider E-Path Module. Downside: Uncertain it is the right solution. It would require some time to research.
     
  6. Look at "split" module. Downside: Still not considered PCI compliant.
     
  7. Have cardholder info encrypted in database. Downside: Still not considered PCI compliant.

1 - Not an option in my opinion. Part of being compliant is being secure and you shouldn't ignore site security.

 

2 - Godaddy's scan is under $10 for 3 months, or something like that. If you hire them, or any scanning company, yourself, the results are just for you and revealing security problems is a good thing.

 

3 - This is correct.

 

4 - Using paypal, or similar, won't make you PCI compliant by itself - maybe. As I understand it, the credit card companies, Visa and the like, want to make sure the credit card data is secure. If you use a paypal module where you are taken to their site, then it should be. But if you use a paypal module that is processed on the site, i.e. paypal pro, and the site does not use ssl, then the credit card data is not secure. Because of this, if you use Authorize.net, they will require a PCI scan to be completed and that scan will include not only site but server security as well. So you can't just assume using paypal and others like it will do the trick.

 

5 - Same 4.

 

6 - Even it it was PCI compliant, it is only one part of the process.

 

7 - I think it is OK as long as it is secure but I might be wrong.

 

PCI compliance is a big pain for shop owners but it is something that has to be done. If you don't have to be certified compliant, you should still take steps to be sure your site is secure. That's just good business practice.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Jack has a good point about paypal, the way I understand it is:

 

If the payment takes place on THEIR site, like with paypal website payments standard, then you need not worry about your site being PCI compliant seeing as you do not process, store, or transmit payment card information because it's paypal that does it once the customer is directed to their site.

https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Marketing/merchant/PCIComplianceDSS-outside

 

If the payment takes place on YOUR site (even if through Paypal) then you need to be PCI compliant. On the paypal payments advanced page https://www.paypal.com/webapps/mpp/paypal-payments-advanced#ccCalloutDesc they state that the procedure is simplified (hover on PCI compliance for info).

~ Don't mistake my kindness for weakness ~

Link to comment
Share on other sites

Paypal Website Payments Standard is one option for shop owners but I would recommend a merchant account for processing on your own site. I don't have the exact numbers but I had many potential customers contact me asking if they could pay without going through Paypal.

 

When I contacted my local bank for setting up a merchant account they were going to help with being PCI compliant.

 

Just my 2 cents.

 

:mellow:

- :: Jim :: -

- My Toolbox ~ Adobe Web Bundle, XAMPP & WinMerge | Install ~ osC v2.3.3.4 -

Link to comment
Share on other sites

I just read a brutal back and forth exchange in another osCommerce discussion about PCI compliance from the middle of 2012 and am not sure where to proceed with this. Maybe I've researched too much. Frustrating. For starters, I want to get rid of any existing credit card data in the database. Any suggestions on the best way for doing that?

Link to comment
Share on other sites

off hand I'd say this mod should clean your old entries.. I hope it clears out the exp date and cvv also but I doubt that. in that case you should look at exporting the orders table into excel, making the changes to NULL those columns and reload it to the database. it can be done quickly but I would put the store in maintenance mode while you did that. your bigger concern however is being compliant moving forward. there are MODS that both split and encrypt, make sure they have the ability to

email the CVV and not store it in the database. also check that there is a clear the credit card info with a checkbox tic.

Debbie D
Franklin County, VA "Moonshine Capitol of the World"
osCmax Mobile Template oscmaxtemplates.com

Link to comment
Share on other sites

...make sure they have the ability to

email the CVV and not store it in the database. also check that there is a clear the credit card info with a checkbox tic.

Thankfully, this merchant doesn't require CVV for processing manually.

 

So, it looks like a multistep approach is the way we'll proceed. It was previously considered to encrypt all historic credit card data, but as we've read and learned, that is not a good option. So, our first step will be to retain only the last four digits of all orders not pending. Second, we'll encrypt credit card data for pending orders. That's at least a start.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...