|
| |
|
"The work completed
was excellent! I.T. Web Experts was very
responsive to our needs and got the job
done! It was also easy to go over tweaks
and changes as we went along. Thanks sooooo
much. We really love what you have done
for us! Our users are impressed with our
site as well, we are receiving feedback
almost daily saying what a great site we
have!" |
|
Debra
Aldred
Treasurer, United Fan Con Inc. |
|
|
|
| |
 |
Shopping Cart PCI Compliance Guide (Magento, Oscommerce, Zencart, etc.) |
 |
|
| |
| |
| |
PCI Compliance Introduction, 12 Steps
Practical Steps To Make Sure You Are Compliant
PCI Compliance Security Scans, "Hacker Safe," Etc.
Keeping Your Shopping Cart (Magento, Oscommerce, CRE Loaded) PCI Compliant
PCI Compliance Introduction, 12 Steps
The main guide to PCI Compliance can be found here: PCI Compliance PDF Guide and the Official Website. We will be reviewing in this article how you can be PCI compliant, but using normal people's language, not computer jargon. First of all, PCI Compliance is a standard set by the payment card group (combo of different credit card companies) in order to reduce fraud in the industry. There can be steep fines (up to $150 or more per card stolen) if you are not PCI Compliant.
First of all, there are 4 levels of PCI Compliance:
Level 1: You do 6 million + transactions per year
| |
- Requires annual onsite review by a QSA (Qualified Security Assessor) and a quarterly ASV (Approved Scanning Vendor) scan |
Level 2: You do 1 - 6 million transactions per year
| |
- Requires annual onsite review by a QSA (Qualified Security Assessor) and a quarterly ASV (Approved Scanning Vendor) scan |
Level 3: You do less than 1 million transactions per year
| |
- Requires annual onsite review by a QSA (Qualified Security Assessor) and a quarterly ASV (Approved Scanning Vendor) scan |
Level 4: You do up to 20,000 transactions per year
| |
- Requires annual onsite review by a QSA (Qualified Security Assessor) and a quarterly ASV (Approved Scanning Vendor) scan |
The 12 steps towards PCI Compliance are as follows:
PCI Compliance 12 Steps
Build and Maintain a Secure Network
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
| |
Our Comments: Make sure that your router you use has a built in firewall, and change the default password for your router. Most routers like Linksys come with the user/password: admin/admin - have you changed that yet or are you being lazy? Also make sure your computer itself has a firewall software running. We recommend Eset Smart Security as of the firewall/antivirus software we've tested it runs the fastest with the least interference to our work. |
Protect Cardholder Data
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
| |
Our Comments: In practical terms, this means make sure your E-commerce website area where customers enter private data is SSL encrypted. Also make sure your administration screen is SSL Encrypted. Do not access your admin screen that stores customer credit card data over a wireless network, but if you must make sure you use WPA security (not WEP) with a long password (14 characters) with a combination of letters and numbers, not a dictionary word. |
Maintain a Vulnerability Management Program
Requirement 5: Use and regularly update anti-virus software
Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
Requirement 7: Restrict access to cardholder data by business need-to-know
Requirement 8: Assign a unique ID to each person with computer access
| |
Our Comments: If you are storing customer credit card data in your E-commerce system admin, make sure you have admin access levels. Sometimes this involves installation of a custom admin access levels module for your shopping cart. Admin access levels means the person that manages sensitive customer data has a separate login then other people who perhaps manage products or website content. It also involves only granting access to certain parts of the admin such as customer credit card data to that person, the other people when they login won't see it. |
Regularly Monitor and Test Networks
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
Requirement 12: Maintain a policy that addresses information security
Practical Steps To Make Sure You Are Compliant
1. Do not store Credit Card CVV date (the 3 to 4 digit code on the back), this is strictly prohibited.
2. Keep your Anti-Virus software and Firewall software up to date, use WAP wireless security if you have a wireless network.
3. Make sure your admin is SSL encrypted and your front-end customer checkout portion of your website is SSL Encrypted.
4. Run a compliance scan from an ASV Vendor, see below.
PCI Security Compliance Scans, "Hacker Safe," ASV
(Approved Scanning Vendor) Scans
After you have assured that you are following the PCI compliance checklist above, the next step is to have your website scanned. You have probably seen those "hacker safe" logos on different E-commerce websites, this is what they are referring to with those logos. Here is the PDF official list of certified ASV vendors for your reference. From our research we have not seen that the "hacker safe" logo actually converts more sales, so we don't recommend paying extra for that. Some sites such do not charge extra for a security logo though. Expect to pay from $79 - $250 per year, if they charge more than that, we wouldn't recommend paying it. $79 should be just adequate as you can see from this vendor: Hacker Scan.
Your PCI Compliance scan will probably reveal some settings that you will need to send to your web hosting company to be adjusted for your website. A typical compliance takes from 1 - 4 weeks to complete.
Keeping Your Shopping Cart (Magento, Oscommerce, CRE Loaded)
PCI Compliant
1. First read the guide above
2. Make sure your customer checkout and Admin is SSL Encrypted
3. Keep your shopping cart updated to the newest version to protect from SQL Injection hacks, and other security breaches. Updating your shopping cart should take from 1 - 3 hours depending on the amount of customizations you have installed.
4. Provide different access levels and logins to the different people that use the administration section of your website. Don't provide people access to customer credit card information that don't need it (i.e. employees that update product info or website articles). This sometimes involves the installation of the admin access levels module for Oscommerce if you don't already have it installed..
5. Do you really need to store your customer's credit card data? Usually not - try to avoid this. It reduces your risk. You only really need to have the customer credit card data entered on the payment screen, and sent immediately to your payment processor. Your payment is then authorized/captured, and you don't need to store that data any longer.
6. Never store CVV credit card information (3 to 4 digit code on the back of the credit card).
7. If you must store customer credit card data for recurring billing or other applications, many payment processors now offer a service where they store the credit card data, and your shopping cart accesses and bills customers using an API (method of communication). This means that you are no longer responsible for storing that data and don't have that liability. We fully recommend this solution. Imagine the liability and damages to your company if your customer's credit card data was stolen? For an example of this service, see Authorize.net's Stored Credit Card Service.
All article content is copyright of I.T. Web Experts, and is not to be duplicated without express written consent.
|
|
|
|
|
