PCI Compliance?

solesurvivor · October 4, 2011, 12:00am

How does anyone achieve PCI Compliance? We are currently setting up a VPS with Wired Tree but

as far as I understand to be PCI Compliant we need a database server that is not

directly accesible from the web.

How is everyone else handling complacency?

We have setup CS-Cart to remove CC Data automatically from the database to minimize our liability but even doing that doesn't make us PCI compliant as far as I understand. Is this correct?

CS-Cart_team · October 5, 2011, 12:00am

Hello solesurvivor,

Thank you for the message.

You do not need to do anything special to make your CS-Cart store more secure, but anyway you should follow general rules of web security - use complicated passwords, change them regularly, use anti-virus software, etc.

CS-Cart is designed to meet the latest security requirements and one of such requirements is PCI compliance. Please refer to the following page of our website to learn more about this security standard:

Product :: Feature Tour :: PCI Compliance

CS-Cart is secure software by itself if CS-Cart directories and files have correct permissions and there are default CS-Cart .htaccess files in the necessary directories.

—

Anastasiya Kozlova

CS-Cart Support Team

carterj · October 7, 2011, 12:00am

Not related to the cart software itself…

Don't forget about the PCI rules for taking orders & payments by phone. Most small business do not have the capability or funds to support the requirements, (ie. encrypted and recorded)

pbannette · October 7, 2011, 12:00am

Solesurvivor,

There are many posts related to PCI compliance in this forum. If you search, you should find them. I would think that the service that provides you with credit card processing also has requirements.

PCI compliance is much-faceted and is not just the cart itself.

Carterj points out something that may not be considered, phone orders. During my certification, I was asked if I use the phone, what kind of phone etc. The use of a VoIP phone requires more controls than a regular phone. If you process at home for example, using Quickbooks, you need your home computers secure plus the software, especially wireless networks. You need your home/business router scanned the same as a website. Mine initially failed, it was a verizon problem.

This is the reason why I use Cresecure for credit cards, amazon and paypal. Don't advertise phone orders anymore, don't take credit card information directly in cs-cart. All are hosted and processed elsewhere.

Bob

solesurvivor · October 7, 2011, 12:00am

[quote name='pbannette' timestamp='1318011402' post='123157']

Solesurvivor,

There are many posts related to PCI compliance in this forum. If you search, you should find them. I would think that the service that provides you with credit card processing also has requirements.

PCI compliance is much-faceted and is not just the cart itself.

Carterj points out something that may not be considered, phone orders. During my certification, I was asked if I use the phone, what kind of phone etc. The use of a VoIP phone requires more controls than a regular phone. If you process at home for example, using Quickbooks, you need your home computers secure plus the software, especially wireless networks. You need your home/business router scanned the same as a website. Mine initially failed, it was a verizon problem.

This is the reason why I use Cresecure for credit cards, amazon and paypal. Don't advertise phone orders anymore, don't take credit card information directly in cs-cart. All are hosted and processed elsewhere.

Bob

[/quote]

Yeah its just such a hassle all these PCI rules dont know why they cant make it more affordable and easier to become compliant.

derbytown502 · October 8, 2011, 12:00am

They Do…It’s called paypal standard!

solesurvivor · October 9, 2011, 12:00am

[quote name=‘derbytown502’ timestamp=‘1318062452’ post=‘123222’]

They Do…It’s called paypal standard!

[/quote]

Do you use Paypal Standard?

derbytown502 · October 9, 2011, 12:00am

Yes we do on one of our other sites using a different cart. We plan on using the Standard on our Cs-Cart once complete with the project. Initially I wanted to use our own merchant account so customers wouldn't leave our site to papal and then back. However, with all the pci changes and regulations and with Paypal being so well known, I don't think it make a bit of difference. If you're just getting started I highly recommend the Standard solution for it's simplicity.

Others here might have a difference of opinion as we all do, but I think most would concur.

Stu