Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

PCI Compliance? Rate Topic   - - - - -

 
  • solesurvivor
  • Senior Member
  • Members
  • Join Date: 05-Aug 11
  • 745 posts

Posted 04 October 2011 - 08:59 PM #1

How does anyone achieve PCI Compliance? We are currently setting up a VPS with Wired Tree but
as far as I understand to be PCI Compliant we need a database server that is not
directly accesible from the web.

How is everyone else handling complacency?

We have setup CS-Cart to remove CC Data automatically from the database to minimize our liability but even doing that doesn't make us PCI compliant as far as I understand. Is this correct?

 
  • CS-Cart team
  • CS-Cart support team
  • Moderators
  • Join Date: 04-Apr 11
  • 3809 posts

Posted 05 October 2011 - 08:30 AM #2

Hello solesurvivor,

Thank you for the message.

You do not need to do anything special to make your CS-Cart store more secure, but anyway you should follow general rules of web security - use complicated passwords, change them regularly, use anti-virus software, etc.

CS-Cart is designed to meet the latest security requirements and one of such requirements is PCI compliance. Please refer to the following page of our website to learn more about this security standard:

https://www.cs-cart....compliance.html

CS-Cart is secure software by itself if CS-Cart directories and files have correct permissions and there are default CS-Cart .htaccess files in the necessary directories.

---
Anastasiya Kozlova
CS-Cart Support Team

Sincerely yours, CS-Cart Support Team

 

User guide       |  Developer documentation  |  Core API documentation


 
  • carterj
  • Junior Member
  • Members
  • Join Date: 11-May 09
  • 93 posts

Posted 07 October 2011 - 01:46 PM #3

Not related to the cart software itself...

Don't forget about the PCI rules for taking orders & payments by phone. Most small business do not have the capability or funds to support the requirements, (ie. encrypted and recorded)
Using CS-CART 4.2.x

 
  • pbannette
  • Senior Member
  • Members
  • Join Date: 09-Aug 07
  • 1036 posts

Posted 07 October 2011 - 06:16 PM #4

Solesurvivor,
There are many posts related to PCI compliance in this forum. If you search, you should find them. I would think that the service that provides you with credit card processing also has requirements.
PCI compliance is much-faceted and is not just the cart itself.
Carterj points out something that may not be considered, phone orders. During my certification, I was asked if I use the phone, what kind of phone etc. The use of a VoIP phone requires more controls than a regular phone. If you process at home for example, using Quickbooks, you need your home computers secure plus the software, especially wireless networks. You need your home/business router scanned the same as a website. Mine initially failed, it was a verizon problem.
This is the reason why I use Cresecure for credit cards, amazon and paypal. Don't advertise phone orders anymore, don't take credit card information directly in cs-cart. All are hosted and processed elsewhere.
Bob

Version CS-Cart 4.3.5


 
  • solesurvivor
  • Senior Member
  • Members
  • Join Date: 05-Aug 11
  • 745 posts

Posted 07 October 2011 - 07:37 PM #5

Solesurvivor,
There are many posts related to PCI compliance in this forum. If you search, you should find them. I would think that the service that provides you with credit card processing also has requirements.
PCI compliance is much-faceted and is not just the cart itself.
Carterj points out something that may not be considered, phone orders. During my certification, I was asked if I use the phone, what kind of phone etc. The use of a VoIP phone requires more controls than a regular phone. If you process at home for example, using Quickbooks, you need your home computers secure plus the software, especially wireless networks. You need your home/business router scanned the same as a website. Mine initially failed, it was a verizon problem.
This is the reason why I use Cresecure for credit cards, amazon and paypal. Don't advertise phone orders anymore, don't take credit card information directly in cs-cart. All are hosted and processed elsewhere.
Bob



Yeah its just such a hassle all these PCI rules dont know why they cant make it more affordable and easier to become compliant.

 
  • derbytown502
  • Senior Member
  • Members
  • Join Date: 18-Jan 09
  • 248 posts

Posted 08 October 2011 - 08:27 AM #6

They Do...It's called paypal standard! ;)

 
  • solesurvivor
  • Senior Member
  • Members
  • Join Date: 05-Aug 11
  • 745 posts

Posted 09 October 2011 - 05:38 AM #7

They Do...It's called paypal standard! ;)

Do you use Paypal Standard?

 
  • derbytown502
  • Senior Member
  • Members
  • Join Date: 18-Jan 09
  • 248 posts

Posted 09 October 2011 - 08:40 PM #8

Yes we do on one of our other sites using a different cart. We plan on using the Standard on our Cs-Cart once complete with the project. Initially I wanted to use our own merchant account so customers wouldn't leave our site to papal and then back. However, with all the pci changes and regulations and with Paypal being so well known, I don't think it make a bit of difference. If you're just getting started I highly recommend the Standard solution for it's simplicity.

Others here might have a difference of opinion as we all do, but I think most would concur.

Stu