Page 1 of 1

Q: PCI Compliancy? What is it? Is OpenCart Compliant?

Posted: Fri Sep 13, 2013 9:46 pm
by Qphoria
Q: What is PCI Compliancy? What does being PCI Compliant mean?
Q: Is OpenCart Compliant? Is OpenCart PCI Compliant?
Q: Is OpenCart PA-DSS Compliant?
Q: What do the different compliancies mean?

A: Compliancy can be confusing and is an often misunderstood concept when dealing with sensitive customer data and ecommerce payments. You can get a more detailed understanding from the internet, but for the purposes of getting you on the right track and understanding the terms, I will give a brief summary of the popular compliancy "buzz words".

PCI Compliant
No doubt most of you have heard this term. But only a few understand what it means.
PCI stands for "Payment Card Industry" and they are self-induced regulatory organization much like the BBB or ISO. They offer multiple levels of compliancy, and it is important to understand which type of compliance you need for your website and which piece of the entire server matches with which type of compliancy.

PCI-DSS - This is the most popular. DSS stands for "Data security standard" and is somewhat generic in definition. First off PCI-DSS compliance is directed at your web server, not directly related to OpenCart or any specific web running software, but your server as a whole. To be PCI-DSS compliant, a testing company like ControlScan will run some automated battery of scripts against your server ip, trying to find unblocked ports that can be potential openings for hackers, XSS exploits, unpatched bugs, externally accessible database connections, unauthorized SSH access, etc. They are basically attempting to hack into the web server itself to see if there are any flaws worth exploiting. Many times these are false positives, but they are being generically thorough. Most credit card companies require you pass at least a yearly scan to use any "onsite" credit card APIs to ensure that you are keeping customer data secure. So being PCI-DSS Compliant means that you have taken the steps to secure your webhost. This also includes the use of a private SSL Certificate on your site if you are accepting onsite payments.

PA-DSS - This is lesser known, but more important when it comes to OpenCart or any web software. PA stands for "Payment Application" which applies directly to the software used to collect the card data (e.g. OpenCart). More specifically, it deals with how and what customer data is stored on the server (in the database or files) and what is done with that information after payment has been completed. Primarily, it focuses on customer credit card information and what may and may not be stored on the server from the payment form. Card number, Exp date, CVV code, etc. To be safe, you shouldn't store any of this information. It should be sent directly to the payment gateway as it is entered and never saved to the database. There are, however, some cases where you can store credit card info if you are making a payment module that saves card data to allow easier future payments. This then comes down to following the rules about how to do it properly.

In OpenCart, PA-DSS mostly deals with each individual payment extension. Each payment extension interfaces with a gateway in its own way. In OpenCart's core code, ALL payment extensions are PA-DSS compliant by default, simply because they DO NOT store ANY card details and all customer data like name and address are declared to be saved to an account as chosen by the customer during registration. It is important that when purchasing a 3rd party payment integration, you buy from a developer with credibility and not from some unknown as there could be malicious code in there to capture the card data. But again, most developers will err on the side of caution and will not store card details. Payment extensions would have to be specifically coded to store this data, so you can't "accidentally" forget to delete card data. So there is no issue with mistakes when it comes to PA-DSS. If you are non-compliant, it is because you coded it that way.

Payment modules that leave your site and are "redirected" to the secure gateway are popular because THEY handle the pci compliance on their side and you are automatically compliant when using one of these types of payments (ex. paypal standard). These types of gateways typically DO NOT require you to have your own SSL certificate. But honestly, they are like $20/year from godaddy so it is almost ignorant to not have one anyway. Whatever it takes to make your customer feel safe and get the order.


You can read more about PCI Compliance here:
https://www.pcisecuritystandards.org/se ... /index.php

-Qphoria

Re: Q: Compliancy? What is it? Is OpenCart Compliant?

Posted: Fri Sep 13, 2013 10:15 pm
by Qphoria