I am currently on 1.3.5 sp4 and am in need of a change due to the pci compliance standards (deadline July 2010).
so a few of questions, if people could help me out.
Am I understanding correctly that it is 2.0.12 that is compliant but not validated?
Is validation necessary? What if we could not process cards on our site?
Is there any way to get cresecure to work with cscart in order to avoid the expensive quarterly scans (approximately $250 per quarter)? This way we could process cards offsite, but not disrupt the checkout process. (I tried linkpoint connect as a third party processor, but their look and feel does not match cart, and adds another 4 steps to checkout.) I do not want to merely use paypal or google checkout.
Is 2.0.12 really stable enough for commercial use?
What is everyone else doing in order to meet the PCI compliance deadline?
Thank you so much. I think these are important issues that we all need to be looking at (unless you are purely using paypal and google checkout). I really don’t want to jump the cscart ship, but I need a pci compliant solution as soon as possible. I need the shop ready to go public before the deadline.
PCI compliance is just another group of morons who managed to convince everybody and the credit card companies that they need to buy into their pci compliance services so they can take your money and make a quick buck for doing nothing - Sno
Cresecure would make it much cheaper than having scans.
Sno,
I completely agree. There are a lot of morons out their making new rules. But whether I like it or not, I have to comply or lose the ability to charge credit cards. Merchant account companies are making everyone comply because the credit card companies, such as visa, are putting pressure on them.
Right now in our field business we are fighting so many inane rules and laws (CPSIA), but they are not going away any time soon.
I was having my non-cs-cart scanned daily and stopped.
I have low volume of customers on my site, but I was exceeding the amount of usage that I could have with my hosting plan. Never was even close before the scans.
The host investigated and found that all the increase in hits was from the daily scans filling up my logs and session tables. I had to stop the scans.
Not only was I paying for my customers to access my site, but I was paying extra for the scanning service to do all the PCI scans.
I wonder if the cs-carters having trouble with expanding databases are having scans performed on a daily basis.
I’ve heard the same thing on other forums when I was looking around for a new cart. The scans really bog down the sites and cause problems.
I’m not sure what I’m going to do with PCI compliance. I use Authorize.net to process my credit cards. Has anyone asked them how they will be handling any merchants who aren’t using a PCI compliant cart? I haven’t had the guts to ask yet because I don’t want to raise any red flags yet.
I think it depends on the merchant account you have, but I have read that fines can be very heavy for being non-compliant (PCI compliance official site said something in the 100k per day mark for large companies). If you do get hacked and found to be non-compliant, I don’t even want to know what those consequences would be!
I contacted CS-cart and the idea of adding cresecure the contact person passed the idea on to developers. All their biggest competitors are on the list of either having added or in development of adding cresecure.
Even if they do get certified, you are stills stuck with hefty scanning fees (the best I’ve found is $250 per scan and you have to do it quarterly) as long as you are taking credit card information on your site (which cresecure lets you avoid by having them take the cc info via iframe).
Just out of curiosity, what is the issue with anything cre loaded?
[quote name=‘moka’]Even if they do get certified, you are stills stuck with hefty scanning fees (the best I’ve found is $250 per scan and you have to do it quarterly) as long as you are taking credit card information on your site (which cresecure lets you avoid by having them take the cc info via iframe).
Just out of curiosity, what is the issue with anything cre loaded?[/QUOTE]
Hi Moka,
Another possible option (As posted above), I also rcvd an email mentioning this from Paypal as we use Paypal Pro for merchant account for our business:
[QUOTE]If you accept any type of Paypal payment then you can register for free and do ad-hoc scanning when you need it.
You do have to verify your application with a phone-call but there is no hard-sell.
I have run several scans with it.
I think Paypal have basically paid McAfee a huge wad of money on behalf of Paypal users.
Here’s the link:-[/QUOTE]
[QUOTE]Just out of curiosity, what is the issue with anything cre loaded?[/QUOTE]
FWIW, we are on 1.3.4sp3 and SecurityMetrics validated us as compliant again (annually).
Now, we don’t have a large volume of transactions compared to most, so we only have to do the annual self-survey, etc. But additionally, their online site scans did show our site is up to their standards.
?
Naive or not, I’m not worried about anything until they force us to change. Should I be worried?
[quote name=‘wwgreen’]FWIW, we are on 1.3.4sp3 and SecurityMetrics validated us as compliant again (annually).
Now, we don’t have a large volume of transactions compared to most, so we only have to do the annual self-survey, etc. But additionally, their online site scans did show our site is up to their standards.
?
Naive or not, I’m not worried about anything until they force us to change. Should I be worried?[/QUOTE]
I wouldn’t be. You don’t have to use a cart that is certified as PCI compliant. Your cart just needs to actually be compliant and if you’re passing the scans by an authorized PCI compliance scanning company then you should be fine. I currently run custom carts that I built, they are not certified as compliant (it’d be silly of me to try and get a validated certificate for them, I don’t resell them for the masses) but they are compliant, they pass the scans (I use daily scans from hacker-safe/mcaffee at the moment) and any time there is a new security issue that is scanned for I fix it if I need to.
Keep in mind that many of the PCI compliance issues are not cart related but are more about server settings, versions, and how you handle data.
re: scanning - I am forced by my merchant account provider (Elavon) to use Trustwave. Well, they give me the option of choosing someone else, but I think they still charge me a fee. They charge between $100-$200 to my Nov. statement for a year of Trustwave scans. I set mine up to scan monthly. I’m not sure what Trustwave costs if you aren’t getting it through your MAP. There are many other options out there. Check this list and compare prices:
I know this is an old thread, but in regards to the question about 2.0.12 being stable enough for commercial use… YES… I’ve been using cs-cart since 2.0.7 and process hundreds of dollars worth of orders every day.
PCI compliance is so much more than a quarterly scan. If you read the 12 requirements, you’ll see a lot of policy and procedure stuff in there too. PCI is here to stay, and it will probably get more strict as time (and breaches) go on. It’s pointless to argue the whether PCI actually makes you secure or not
In almost every case, the entity forcing compliance on merchants is their bank. CS-Cart doesn’t care if your compliant, and neither does Authorize.Net. Your bank will ask you to sign up for SecurityMetrics, TrustWave, etc. and provide a ROC (report on compliance). You’ll also have to answer and submit an attestation of compliance for some, if not all, of the 12 PCI requirements.
We’ve been building shopping carts (some as simple as a donation page) for several years. Last year, we starting seeing our customers being fined by their bank for failure to comply with PCI. Fines range from a few dollars a month, to several hundred dollars per year. I think this depends on the volume of transactions the store receives.
