Jump to content

 

CS-Carter

Member Since 07 Sep 2010
Offline Last Active Sep 17 2010 01:04 PM
-----

Posts I've Made

In Topic: Payleap gateway/ merchant account and cresecure

10 September 2010 - 08:46 PM

I looked at BigCommerce and tested it. It's expensive when you start putting a lot of items up on your store.

Also if you check the forums when they have upgrades you select to do them or not and it takes a while to have the updates made which is by them or an automated system and it in many cases breaks the store.

Some on the forums were down from multiple days to many weeks with no help from BigCommerce.

Not flexible enough and you don't have any real control. And you are limited to the add-ons that are available.

I contacted a developer and BigCommerce twice to have once small custom tweak and the developer eventually ignored me and BigCommerce said they couldn't do it.

Depends on you and your needs. I think BigCommerce is a good cookie cutter solution that is hosted. using the Interspire ecommerce software even though they really are not yet interlinked.

If you are scared or worried about PCI compliance you shouldn't be. Check out this:http://forum.cs-cart...ead.php?t=19749 and this: http://www.qualys.co...s/qg_suite/pci/

Good luck!

In Topic: MySQL Port?

10 September 2010 - 06:20 PM

1and1 does have weird setups. However you need to determine the issue.

Have you tried this?

1, From the 1and1 Control Panel - Go to the server Administration section and make sure PHP is running as a module.

2, Create a .htaccess file and put the following line into it.

php_value mysql.default_socket "/tmp/mysql5.sock"

And put this .htaccess file into the root of the CS-Cart directory.

3, Enter the following settings into the vB config.php file.

$config['MasterServer']['servername'] = 'localhost';
$config['MasterServer']['port'] = '/tmp/mysql5.sock';

If you still cannot get to work you may have to contact 1and1 I have seen IP issues cause database connection issues before.

Good luck!

In Topic: Data loss in Front end?

10 September 2010 - 05:40 PM

Look here http://forum.cs-cart...ch=buy together to see if any of the issues you are experiencing exists already. You could even contact the user with the same issue as you and see if they found a remedy.

Good luck!

In Topic: Tables for position data?

10 September 2010 - 05:37 PM

That information if available will be here: http://docs.cs-cart.com/

Good luck!

In Topic: What to do with PCI compliance

10 September 2010 - 05:03 PM

There are 12 mandated security requirements to PCI-DSS.

1. Install and maintain a firewall configuration to protect data
2. Do not us vendor-supplied defaults for system passwords and other security parameters
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks (i.e. SSL)
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security.

https://www.pcisecur..._agreement.html

This type of CC data CAN BE STORED on your PCI-DSS compliant server (all methods require security protection)

a. Account Number
b. Cardholder Name
c. Expiration Date
d. Service Code

The following CC data CAN NOT BE STORED FOR ANY REASON to be PCI-DSS compliant

a. Magnetic Strip
b. CVV, CCV, CVVC, CVC, CSC, CVD (This is the 3 digit code or 4 digit verification code on the CC itself)
c. PIN Data (Debit Card PIN or CC Cash Advance PIN)

What can happen to you if you are not in compliance?

1. Fines up to $500,000 per incident
2. Remediation costs estimated at $90 to $302 per record
3. Potential customer lawsuits
4. Company reputation and brand damage

Should you be afraid?

In my opinion not at all. You just need to be aware and follow the PCI-DSS protocol.

Merchant Levels:

Level 1 = (This is the highest level and requires the most scrutiny. Unless you are a Wal-Mart you don’t have to fear) Def: More than 6 million transactions annually across all channels, including e-commerce. Req: Annual Onsite PCI Data Security Assessment and Quarterly Network Scans

Level 2 = Def: 1,000,000 – 5,999,999 transactions annually (You will defiantly need to have a dedicated server and some beefy security but I assume you can afford to hire a specialist to handle this all for you by then if not you should probably not be doing this) Req: Annual Self-Assessment and Quarterly Network Scans

Level 3 = Def: 20,000 – 1,000,000 e-commerce transactions annually. Req: Annual Self-Assessment and quarterly Network Scans. (Some of you may fall into this category. If you do you should be on a VPS or Dedicated Server with a company that guarantees PCI-DSS compliance or run and maintain your own servers) NOTE: You will also see that Level 3 is specific about e-commerce as most fraud with CC is online so this focuses in on the bulk of the fraud they deal with.

Level 4 = Def: Less than 20,000 e-commerce transactions annually, and all merchants across channel up to 1,000,000 VISA transactions annually. Req: Annual Self-Assessment and Annual Network Scans. (Most mom & pop e-commerce sites will fall into this category however it was meant to also encompass brick and mortar stores who are getting into the e-commerce game, many of these already perform a lot of transaction but up until now they have all been in their stores. This makes PCI-DSS simpler to start even if you are a big merchant)

What is a SAQ (Self-Assessment Questionnaire)?

INFO: When PCI-DSS was new there use to be just one questionnaire that everyone had to fill out. That was chaos and since 2008 they have created 4 different questionnaires based on the different types and sizes of merchants. Here they are:

SAQ A: Addresses requirements applicable to merchant who have outsourced all processing, transmission and storage of cardholder data. (This would be the PayPal, Gateways, or similar users out there who do not store any CC data in their store databases or on file in their office)

SAQ B: Created to address requirements pertinent to merchants who process cardholder data via imprint machines or stand-alone dial-up terminals only. (If you have or seen the old machines that imprinted the CC data onto the hand forms you know what they are talking about). This type of questionnaire was not designed for e-commerce.

SAQ C: Constructed to focus on requirements applicable to merchants whose payment applications systems are connected to the internet. (Terminals via the Internet and not a phone line, built in card swipes via QuickBooks, you get the idea all data transmitted over the internet and not by mail or telephone line.)

SAQ D: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B or C. (This is tricky so if you are an e-commerce merchant who uses a payment gateway but you still store the CC data on your server for customer convenience or you have a mixed environment. Best way to think of this is if you do not fit A, B or C definitions then you are a D)

Instructions for SAQ V1.1 and V1.2 here: https://www.pcisecur...tructions.shtml

Network Vulnerability Scans:

The PCI Standard requires merchants to scan all outward facing IP addresses. These IP addresses are not protected by a firewall and can be hacked through an open port. The SAQ identifies and mitigates risk from the inside (behind the firewall) while the IP scans identify and mitigate risk from the outside.

See Demo Video from an ASV: http://www.qualys.co...s/pci/demo.html
(note: I am not affiliated nor have I ever used Qualys before but it's a good demo)

How to get started:

1. Identify the individuals that will be responsible for PCI compliance in your organization and assemble a team that includes member from each area. (Mom & Pops this will be yet another hat for you to wear by yourself unless you hire someone)
2. Determine your merchant level (1-4)
3. Determine with SAQ your organization will need to complete
4. Evaluate whether your organization will try to achieve compliance internally or engage with a QSA (Qualified Security Assessor)
5. Engage with an ASV (Approved Scanning Vendor) to start the required external IP vulnerability scans.
6. Make sure that your organization has an Information Security Policy and that it is being enforced
7. Immediately address any significant deficiencies discovered during the assessment or scan
8. Retain record of self-assessments, scans, and follow-up activities. Be prepared to provide these documents upon request.

What should you do if you are breached? – (Immediate Action Required)

1. Contain and limit the exposure. Conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise
2. Alert all necessary parties. Be sure to notify:

a. Your Merchant Account Provider (i.e. PayPal)
b. Visa Fraud Control Group @ 1-(650)-432-2978
c. Local FBI Office
d. U.S. Secret Service (if Visa payment data is compromised)

3. Provide the compromised Visa accounts to Visa Fraud Control Group within 24 hours.
4. Within four business days of the reported compromise, provide Visa with an incident report. (Here is a step by step from Visa: http://usa.visa.com/...ompromised.html )

I realize many out there this is overwhelming but if you just take the time to understand the basics and know what questions to ask you can master this and put it behind you.

If you are using a HOSTED server be certain to ask your provider a few questions:

1. Are they PCI-DSS compliant
2. If so what LEVELS of compliance are they
3. Also if so do they have specific instructions on how to make sure your site is PCI-DSS compliant on their servers.

CS-Cart is PCI-DSS compliant but with any software it’s going to have to be testing on your installation. You will have to pass a PCI-DSS scan and if you do not you will have to fix the issue and get scanned again. Once you pass you just have to pass the scans when they are required for you type of business.

Here are a few links that may assist you in your research.

PCI Quick Reference Guide: https://www.pcisecur...quick_guide.pdf
Docs for PCI DSS V1.2:
PCI Security Standards Council Site: https://www.pcisecur...org/index.shtml
PCI Compliance for DUMMIES (FREE DOWNLOAD): http://www.qualys.co.../pcifordummies/
ASV (Approved Scanning Vendor) that provides the free eBook: http://www.qualys.co...s/qg_suite/pci/

You can use any ASV you wish I only noted the above because they have the FREE book.

Good luck on your TREK!