Best SSL for Small Ecommerce CS-Cart Site?

[quote name=‘scase’]Now, I just have to worry about the upcoming PCI Compliance standards later in 2010 and hope that Authorize.net doesn’t deny us processing if we’re not using a PCI Compliant cart! I’m not planning on holding any credit card information in the database but not being compliant could pose an issue (and not just for me, I’m sure!)[/QUOTE]



Not quite sure I understand. CS-Cart is PCI Compliant (https://www.cs-cart.com/pci-compliance.html). Or am I mis-reading something?



Adam

[quote name=‘jegesmaci’]Not quite sure I understand. CS-Cart is PCI Compliant (https://www.cs-cart.com/pci-compliance.html). Or am I mis-reading something?



Adam[/quote]



Yes and No. I had a conversation back and forth via a support ticket with the guys at CSC and it’s clear they are not totally PCI compliant, nor are they very well informed about what PCI compliance is all about. While not all of it applies to cart makers, there is a 74 page doc just detailing the rules for PCI compliance. That page they quote is only a VERY brief overview of the requirements. Those are not the requirements themselves and following this does not make them compliant. They don’t encrypt cookie data and although there is now an option to turn it off, they allow users to store CVV data, which is not only not allowed by ANY credit card company, but violates PCI rules. They confirmed in the ticket they are not 100% compliant and that they will work on it for a future version.



I don’t understand how they can put their customers at risk as everyone who takes credit cards, regardless of how (even if it’s PayPal and on their site), has to be PCI compliant to varying degrees. Most people fail to recognize this. There is A LOT of documents about internal processes that has to be documented as well. It’s not just about passing a PCI scan.



We had our two servers scanned last week just before we launched and it took us 5 scans and numerous server changes to finally pass the scan. We also had to confirm that the un-encrypted cookies did not contain sensitive customer information. CSC says they don’t, but I don’t know if I am 100% sold based on their lack of PCI understanding.

Jmottle,



Thank you for your post.



I am about to upgrade to 2.11 and my understanding is that the credit card storage feature can be turned off so that customers do not have the option to store credit cards and store owners do not have to store in their databases any cards.



It sounds like this is what you understand also which makes me feel better.



Thanks again!

CS-Cart is not on the list of validated payment applications like Early Impact (ProductCart) and some others are now. I’m sure there are other online solutions that are working towards being a validated payment application but it doesn’t sound like CS-Cart is following that path based on the info from jmottle and other threads on these forums.



Here’s a link to the list of validated payment applications.



I’m not sure how the credit card merchants who process online transactions will use this list by July 2010. It’s not a law but they can probably deny business to ecommerce stores who are not using an approved application. Just another thing to worry about as we move into 2010!



Regards,

Stephanie

[quote name=‘brandonvd’]Stephanie,



I use the Comodo Instant SSL. It works just like it is supposed to and I have been happy.



Brandon[/QUOTE]



Hi, could you kindly advise how can such a seal as shown below be displayed at the right-bottom corner?Thanks!



In skins/your_skin/customer/index.tpl



Below:


{include file="common_templates/scripts.tpl"}



Add:







And Below:


{hook name="index:footer"}{/hook}



Add:


```php Comodo SSL Certificate

```

Be sure to change the your-domain part.

Hope it helps,

Brandon

on this pci complience how can we check to make sure it is complient ?



would 2.0.11 be complient ? enough ?

[quote name=‘lawnmowertech’]on this pci complience how can we check to make sure it is complient ?



would 2.0.11 be complient ? enough ?[/QUOTE]



One practical way is to contact your payment gateway/merchant account and simply ask them what new if any requirements they will have next year, as I imagine compliance will be through them for all except the largest companies?



For small businesses it may be business as usual or maybe a survey that you do yourself?



As long as you do the basics - do not store credit card information, use anti-virus software and a firewall I think/hope we will be fine.