Cenzic ran their Hailstorm product against another shopping cart, and it failed miserably. So, we’re trying to convince our client to switch to CS-Cart. Has anyone here had their CS-Cart installation scanned by Cenzic and passed?
Has anyone here passed a PCI compliance scan with CS-Cart? If so, which Approved Scanning Vendor checked your store?
these PCI Compliance Scans are a complete waste of money, it’s another useless service invented by companies as a way to suck money out of your bank account, seriously, if you want to throw money away, please send it to me, Thanks - Sno
[QUOTE]these PCI Compliance Scans are a complete waste of money, it’s another useless service invented by companies as a way to suck money out of your bank account[/QUOTE]
Unfortunately, I agree with you Sno, and I know it is not an actual “law” in most states, but for public-held Companies that are required to adhere to and abide by SOX Compliance (Sarbanes Oxley Compliance) it has to be done. [URL=“Sarbanes–Oxley Act - Wikipedia”]http://en.wikipedia.org/wiki/Sarbanes-Oxley_Act[/URL]
As this act also covers issues such as auditor independence, corporate governance, internal control assessment, and enhanced financial disclosure;
I am required to as present all (internal controls assessment) Internet activity, security, reports, software and hardware specs for everything I do and PCI Compliance and SAS 70 is two of the myriad of compliance data I provide.
As far as “useless service invented by companies” I would substitute “companies” for “government”…and thank Enron, Tyco, Wolrdcom etc. for this overbloated mess of regulatory nightmare. By signing this Act in 2002 it actually is costing companies and tax payers more money than Enron ever imagined “floating”.
Just my 2¢
While I understand your frustration Sno, I have to agree with WebGuy. I don’t get to decide whether to comply or not - my bank says I have to. I’m also having to deal with SOX, SAS 70, etc. I don’t see any of these compliance issues going away soon. If anything, they’ll probably get worse.
Back on topic… Cenzic still hasn’t scanned my cart, but McAfee Secure and Security Metrics have both given me the thumbs up for other CS-Cart installations.
Grayloon,
Isn’t it a combination of the cart software and the host server/hardware/software configuration that is scanned and certified? I think you have to have both together.
Good news you had good scans from two scan sources for cs-cart and the host you are with.
I am trying to learn about this myself.
Thanks,
Bob
PCI compliance covers all aspects of security:
- hardware
- software
- networking
- policies
- etc.
I was just trying to cover part of the software stuff by asking about CS-Cart. Since we host our own sites, we have to get through all of this stuff.
Our small/medium sized company is PCI “self-compliant”. No need to pay others when you can fill out a form and submit it to whoever requires proof of PCI compliance. Yes, you need to fit a certain criteria, but most companies do unless they are HUGE. Just go here and review: [url]https://www.pcisecuritystandards.org/saq/index.shtml[/url]
Regards,
Scott
We’ve had a few clients contacted by their bank regarding PCI compliance, and the bank paid for the scan.
Security Metrics is telling me that the following characters pose a cross-site scripting (XSS) risk, and they must be filtered out of the CS-Cart search, Send to a Friend add-on, and Reviews add-on.
[quote]; / \ < > =[/quote]In /store/skins/{MYSKIN}/customer/common_templates/search.tpl, I tried changing this:
to this:
but the “;/=” characters still come through. I guess this function isn’t really “safe” at all.
Any other ideas?
[quote name=‘grayloon’]Security Metrics is telling me that the following characters pose a cross-site scripting (XSS) risk, and they must be filtered out of the CS-Cart search, Send to a Friend add-on, and Reviews add-on.
In /store/skins/{MYSKIN}/customer/common_templates/search.tpl, I tried changing this:
to this:
but the “;/=” characters still come through. I guess this function isn’t really “safe” at all.
Any other ideas?[/quote]
I would ask CS-Cart developer team directlly as they can give you the most exact answer.