Post by BISIdesigns » Sun Mar 14, 2010 8:45 pm

Being a web designer, I have a lot of customers worried about PCI-compliance and I am finding nothing about this with OpenCart. I also do not see anything saying OpenCart has passed the PA-DSS requirements. My customers accept Authorize.Net so this is a very important issue for them as they look for options.

BISI Designs
Professional Website Design
http://www.bisidesigns.com


User avatar
New member

Posts

Joined
Sun Mar 14, 2010 8:32 pm


Post by Qphoria » Sun Mar 14, 2010 9:11 pm

PCI-DSS is at the server level
PA-DSS typically comes down to the payment modules. They are "modular" so it wouldn't be at the opencart general level.

To summary.
You are PCI-DSS compliant if your site (as a whole) is secured. This mainly focuses on your server for things like xss, unblocked ports, unauthorized ssh access, outward facing db ports, etc
You are PA-DSS compliant if your payment extension doesn't store card data of any type, especially not the CVV code. It is allowed to save the card number for modules that offer the ability to store card data for future use, but that has its own set of additional rules. By default, all OpenCart payment extensions are PA-DSS compliant. The software as a whole is PCI-DSS compliant. But your server also has to be tested for its part of PCI-Compliance

OpenCart 2.0.x Mod Update Info

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by BISIdesigns » Sun Mar 14, 2010 9:19 pm

Qphoria wrote:PA-DSS typically comes down to the payment modules. They are "modular" so it wouldn't be at the opencart general level.
Can you please elaborate on that more? What do you mean by they are modular and not at the opencart level? Other shopping carts are having to rewrite the payment modules even when they do NOT store credit cards and DO support SSL's in order to pass PA-DSS requirements. According to PA-DSS, the shopping cart vendor is responsible for making sure the payment modules are compliant.

Authorize.Net is a module that comes in the boxed download of opencart so how is that not on opencart to make sure it is compliant?

Sorry to be a pain but if my customers are do not have warm-fuzzies, they will keep looking. :-\

BISI Designs
Professional Website Design
http://www.bisidesigns.com


User avatar
New member

Posts

Joined
Sun Mar 14, 2010 8:32 pm


Post by Xsecrets » Mon Mar 15, 2010 12:47 am

BISIdesigns wrote:
Qphoria wrote:PA-DSS typically comes down to the payment modules. They are "modular" so it wouldn't be at the opencart general level.
Can you please elaborate on that more? What do you mean by they are modular and not at the opencart level? Other shopping carts are having to rewrite the payment modules even when they do NOT store credit cards and DO support SSL's in order to pass PA-DSS requirements. According to PA-DSS, the shopping cart vendor is responsible for making sure the payment modules are compliant.

Authorize.Net is a module that comes in the boxed download of opencart so how is that not on opencart to make sure it is compliant?

Sorry to be a pain but if my customers are do not have warm-fuzzies, they will keep looking. :-\
Well given that opencart is opensource released under the gpl the ps-dss would have a hard time holding anyone building opencart responsible.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by BISIdesigns » Mon Mar 15, 2010 1:06 am

Xsecrets wrote:
BISIdesigns wrote:
Qphoria wrote:PA-DSS typically comes down to the payment modules. They are "modular" so it wouldn't be at the opencart general level.
Can you please elaborate on that more? What do you mean by they are modular and not at the opencart level? Other shopping carts are having to rewrite the payment modules even when they do NOT store credit cards and DO support SSL's in order to pass PA-DSS requirements. According to PA-DSS, the shopping cart vendor is responsible for making sure the payment modules are compliant.

Authorize.Net is a module that comes in the boxed download of opencart so how is that not on opencart to make sure it is compliant?

Sorry to be a pain but if my customers are do not have warm-fuzzies, they will keep looking. :-\
Well given that opencart is opensource released under the gpl the ps-dss would have a hard time holding anyone building opencart responsible.
Open source has nothing to do with it. It is he who owns the website and distributes the cart. Open source simply means that the source is not encrypted and is open to the site owner for modification. The GPL does not exempt anyone person from the rules. I am not sure why you would think that.

You can read the GPL here: http://www.gnu.org/copyleft/gpl.html

BISI Designs
Professional Website Design
http://www.bisidesigns.com


User avatar
New member

Posts

Joined
Sun Mar 14, 2010 8:32 pm


Post by rph » Mon Mar 15, 2010 1:14 am

Your website will also get scanned for security issues by a compliance company. Some of those issues OpenCart handles (preventing DB injections, for instance) and some of it's up to the website administrator (disabling anonymous FTP).

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by Xsecrets » Mon Mar 15, 2010 5:59 am

BISIdesigns wrote: Open source has nothing to do with it. It is he who owns the website and distributes the cart. Open source simply means that the source is not encrypted and is open to the site owner for modification. The GPL does not exempt anyone person from the rules. I am not sure why you would think that.

You can read the GPL here: http://www.gnu.org/copyleft/gpl.html
the website owner sure, but how is some standards body going to hold a person that is releasing a free cart responsible for anything? Given it's not even a government agency, and even at that we are on the internet which government would it be? If you want to take the cart and sell it then sure maybe you could be held responsible.(and yes this is allowed by the gpl)

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by BISIdesigns » Mon Mar 15, 2010 6:20 am

Xsecrets wrote:
BISIdesigns wrote: Open source has nothing to do with it. It is he who owns the website and distributes the cart. Open source simply means that the source is not encrypted and is open to the site owner for modification. The GPL does not exempt anyone person from the rules. I am not sure why you would think that.

You can read the GPL here: http://www.gnu.org/copyleft/gpl.html
the website owner sure, but how is some standards body going to hold a person that is releasing a free cart responsible for anything? Given it's not even a government agency, and even at that we are on the internet which government would it be? If you want to take the cart and sell it then sure maybe you could be held responsible.(and yes this is allowed by the gpl)
The easy answer, many will just abandon this ship and go else where. Most website owners are not programmers as well. That is why they find a cart that suites their needs. So they do not have to build their own cart or reprogram it every time a problem comes up. They get updates from the cart creator. I guess I have morals and would not ignore something like this but you my friend, must not care about others having problems.

The other problem is that any store owner using a non-compliant cart is putting their butt on the line and may be denied a merchant account. Well, that goes back to the abandonment of this ship.

Whether I like the new rules for cc processing or not, the fact of the matter is that they are here and they can affect a store owners business. So we must deal with what is handed to us. And the compliance ... insert choice word here ... is something we have to deal with. :(

I will wait for Daniel to weigh in but it looks like this will not be what my current customers are looking for since it is not going to pass the new scans. I was hoping it would be as it is a slick cart and user friendly. :-\

BISI Designs
Professional Website Design
http://www.bisidesigns.com


User avatar
New member

Posts

Joined
Sun Mar 14, 2010 8:32 pm


Post by Daniel » Mon Mar 15, 2010 6:32 am

i'm sorry but at which part does opencart fail?

last time one thing was brought up which was that sql error messages are displayed when there is an error.

OpenCart is very stable and very secure.

anyway you can see the pci compliance advertisment ont he right. I surrgeest you contact this company about testing your site if its secure.

also the gpl does state that the creator is not reposbile for you using the script.

actually i think you are full of crap just trying to put people off from using opencart! you have not explained why opencart would not pass.

OpenCart®
Project Owner & Developer.
OpenCart commercial support now available!


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by BISIdesigns » Mon Mar 15, 2010 6:46 am

Daniel wrote:i'm sorry but at which part does opencart fail?
Now that is the million dollar question... in a sense.

I have been rounds about this issue with processors about this. And mind you, I just downloaded OC today and have not even finished "setting up store" so I am not ready to run a scan.

However, I just had another site scanned and they said that besides the sql errors, older versions of php, mysql, etc, that there was also something about the way that the data is transmitted from the cart to the merchant processor place. But... they said that their scan does not check the way the data is transmitted. It just looks for security problems in the hosting and the scripts on the hosting. Which at that point I was totally confused and wondered why I had even had them run the scan....

Now, the merchant processors I spoke with, Authorize.Net included. would not say HOW it is supposed to be transmitted or they just flat don't know what all this means either. They said you need an SSL but that the SSL is not enough to make sure the CC info is not hacked. And they said that not storing CC's is not enough.

I personally became more than cross-eyed trying to understand the stuff set by PA-DSS https://www.pcisecuritystandards.org/se ... _dss.shtml

I do believe that you are very dedicated to the OC project. I would be in your shoes too. I believe you are a genuinely honest person and are trying to keep OC user friendly & secure. I have read many of your other posts here. I have no reason to doubt that. Please do not take this as a personal attack as it is not.

I hear flack about this all the time from my customers. Many are running scared about this whole new compliance stuff rolling down the hill. Some are even so scared they are contemplating closing up the idea of doing their online business and going back to work for another company mainly out of fear.

I guess what I need is something that will give them the warm fuzzies they are looking for so they will continue their online businesses (thus keeping you and me in business ;)).

So I honestly do not know but I do know what customers are freaking out about. I guess they want to see a logo on your site that says "I am PCI-Compliant and have passed through the PA-DSS testing and here is my certificate to show that!" ::)

This is just so confusing and almost crazy. :-X

BISI Designs
Professional Website Design
http://www.bisidesigns.com


User avatar
New member

Posts

Joined
Sun Mar 14, 2010 8:32 pm


Post by BISIdesigns » Mon Mar 15, 2010 7:15 am

And this is something people are looking at and not seeing many carts on the list. Just an fyi.

https://www.pcisecuritystandards.org/se ... _list.html

BISI Designs
Professional Website Design
http://www.bisidesigns.com


User avatar
New member

Posts

Joined
Sun Mar 14, 2010 8:32 pm


Post by rph » Mon Mar 15, 2010 10:45 am

BISIdesigns wrote:I have been rounds about this issue with processors about this. And mind you, I just downloaded OC today and have not even finished "setting up store" so I am not ready to run a scan.
As long as you're not modding the cart it doesn't matter how many products your store has. The framework is the same with 10 or 10,000. If you're really concerned I'd suggest installing the default store and running a scan on that before doing any work at all.
However, I just had another site scanned and they said that besides the sql errors, older versions of php, mysql, etc, that there was also something about the way that the data is transmitted from the cart to the merchant processor place. But... they said that their scan does not check the way the data is transmitted. It just looks for security problems in the hosting and the scripts on the hosting. Which at that point I was totally confused and wondered why I had even had them run the scan....
Old versions of PHP and MySQL wouldn't be a problem with OpenCart. They'd be a problem with your host.

Scanning companies can't test everything. That's just not possible with an automated system. They just scan for the big things like unsecured directories, SQL injections, exposing source, and the like.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by Qphoria » Mon Mar 15, 2010 11:18 am

Seems much like antivirus companies, these PCI scanning companies create a lot of hoopla to scare up business.

Any cart using php or mysql with a webhost has the exact same main vulnerabilities. A weak password for your cpanel or database or cart or any of the admin entry points can screw you. This is at the user level.

The only thing you can really protect is against XSS and CSRF which falls under PCI-DSS compliance

Nobody has complained of any issues of being hacked.
No sensitive payment data is stored by any mods except one of my payment mods, which is why i say it comes down to the individual modules, not the store. There is a plugin clause somewhere in that document.

Bottom line is, PCI-DSS is up to you and your server. As long as customers see that SSL lock on their browser, they think they are secure and happy to buy. But they have no idea if the admin running that store used "12345" as his backend password.

OpenCart 2.0.x Mod Update Info

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by rph » Mon Mar 15, 2010 11:45 am

Qphoria wrote:Seems much like antivirus companies, these PCI scanning companies create a lot of hoopla to scare up business.
Very true, but it's the credit card processors that are forcing businesses to use them. I wasted a week jumping through hoops trying to show that, no, an anonymous FTP account that dead-ends and has no read/write/execute permissions is not a "high risk".
The only thing you can really protect is against XSS and CSRF which falls under PCI-DSS.. and the reality is that you don't know if it is until someone hacks it.
They do check cross-site scripting but they don't check CSRF (there's probably no way they really could beyond version checking the cart against known instances). That's why I think anyone parading around those silly "Hacker Safe" insignias has completely lost their marbles. PCI scans are only the absolute minimum you should be doing.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by Xsecrets » Mon Mar 15, 2010 1:26 pm

BISIdesigns wrote:I guess I have morals and would not ignore something like this but you my friend, must not care about others having problems.
ok Mr. moral high ground if you care so much about it where is your certified solution that matches all the regs you mentioned? You could check it all just as easy as I can. As you can see it's VERY complicated and would take loads of time which most people who are working on GPL software don't have. It would probably take months of full time work to go through all those specs and verify everything, and god only knows how long to get an answer back from that regulatory group (if they'll even talk to you) to have it "certified" or whatever.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by peteVA » Tue Mar 16, 2010 12:33 am

Minimum fine for not being PCI compliant is like $10,000 and it goes up from there. It must be taken seriously by anyone dealing with credit and debit card payments online. To ignore it, or point fingers is not the solution. Everyone along the line from developer to host to user has a part in seeing that the whole is compliant.

It may be tomorrow, or it may be 5 years from now, but one of these days there will be someone here crying they got hit with the penalty and are losing their business.

Again, I am not saying there is a problem with OC. Quite frankly, I don't know. But it seems no one else does either and someone should. Will the poor soul who first gets caught out of compliance sue Daniel, or anyone else? I have no idea. But the fact remains that there is a possibility of liability being passed on. Not a good thing, even if nothing comes of it.

A Trusted Wholesale Dropshipper
Web Hosting Under $ 5.00 Month! FREE Shopping Carts!
25,000+ Real Wholesale & Dropship Sources!


User avatar
Active Member

Posts

Joined
Mon Jul 20, 2009 8:25 am

Post by rph » Tue Mar 16, 2010 2:54 am

But PCI compliance isn't about OpenCart. There are all kinds of things you have to do online and off that have nothing to even do with it. Scanning your cart is just one thing that happens and no one's even shown OpenCart doesn't pass!

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by tintedpixel » Wed Mar 17, 2010 12:38 pm

Qphoria wrote:Seems much like antivirus companies, these PCI scanning companies create a lot of hoopla to scare up business.
I totally agree. And moreover it is also a way for gateways to charge you more if you don't have it.

Here is how to get compliant with Opencart.

Step 1. Use a host that touts their ability to be compliant, from my experience most failures on these scans come from php, apache, mysql and firewall (hosting environment).

Step 2. Answer the PCI compliant questionnaire wisely. If you don't know how to answer, find someone who does. It is mostly brainless stuff like, do you have a firewall,does your firewall do stateful inspection, do you store credit card numbers, and so on.

You should be able to pass easily with Opencart. If your scan fails, post it here and let us know.

We have passed on our carts so far.

http://www.tintedpixel.com
Web Centric Creative


User avatar
New member

Posts

Joined
Fri Sep 25, 2009 11:56 pm
Location - Denver, Colorado

Post by Demon5 » Wed Oct 27, 2010 6:55 am

rph wrote:But PCI compliance isn't about OpenCart. There are all kinds of things you have to do online and off that have nothing to even do with it. Scanning your cart is just one thing that happens and no one's even shown OpenCart doesn't pass!
Mcafee Says opencart doesn't pass. The way it links to other parts of opencart is open security vuln that can be used to make other sites think your site is connecting

Vulnerability Detail
Device xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Vulnerability User specified URL redirection (Open Redirect)
Port 80/tcp
Scan Date 26-OCT-2010 15:18


URL
Protocol http Port 80 Read Timeout 10000 Method POST Demo
Path /index.php
Query route=common/home
Headers Referer=http%3A%2F%2Fxxxxxxxxxxxxxxx%2F
Content-Type=multipart%2Fform-data%3B+boundary%3DX
Body --X Content-Disposition: form-data; name="currency_code" 0 --X Content-Disposition: form-data; name

https://www.lotnllc.com is your one stop shop for all your computer needs!


User avatar
Active Member

Posts

Joined
Sat Jun 19, 2010 4:12 am
Location - Sacramento, CA
Who is online

Users browsing this forum: No registered users and 23 guests