BISI Designs
Professional Website Design
http://www.bisidesigns.com
PA-DSS typically comes down to the payment modules. They are "modular" so it wouldn't be at the opencart general level.
To summary.
You are PCI-DSS compliant if your site (as a whole) is secured. This mainly focuses on your server for things like xss, unblocked ports, unauthorized ssh access, outward facing db ports, etc
You are PA-DSS compliant if your payment extension doesn't store card data of any type, especially not the CVV code. It is allowed to save the card number for modules that offer the ability to store card data for future use, but that has its own set of additional rules. By default, all OpenCart payment extensions are PA-DSS compliant. The software as a whole is PCI-DSS compliant. But your server also has to be tested for its part of PCI-Compliance
Can you please elaborate on that more? What do you mean by they are modular and not at the opencart level? Other shopping carts are having to rewrite the payment modules even when they do NOT store credit cards and DO support SSL's in order to pass PA-DSS requirements. According to PA-DSS, the shopping cart vendor is responsible for making sure the payment modules are compliant.Qphoria wrote:PA-DSS typically comes down to the payment modules. They are "modular" so it wouldn't be at the opencart general level.
Authorize.Net is a module that comes in the boxed download of opencart so how is that not on opencart to make sure it is compliant?
Sorry to be a pain but if my customers are do not have warm-fuzzies, they will keep looking.
BISI Designs
Professional Website Design
http://www.bisidesigns.com
Well given that opencart is opensource released under the gpl the ps-dss would have a hard time holding anyone building opencart responsible.BISIdesigns wrote:Can you please elaborate on that more? What do you mean by they are modular and not at the opencart level? Other shopping carts are having to rewrite the payment modules even when they do NOT store credit cards and DO support SSL's in order to pass PA-DSS requirements. According to PA-DSS, the shopping cart vendor is responsible for making sure the payment modules are compliant.Qphoria wrote:PA-DSS typically comes down to the payment modules. They are "modular" so it wouldn't be at the opencart general level.
Authorize.Net is a module that comes in the boxed download of opencart so how is that not on opencart to make sure it is compliant?
Sorry to be a pain but if my customers are do not have warm-fuzzies, they will keep looking.
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
Open source has nothing to do with it. It is he who owns the website and distributes the cart. Open source simply means that the source is not encrypted and is open to the site owner for modification. The GPL does not exempt anyone person from the rules. I am not sure why you would think that.Xsecrets wrote:Well given that opencart is opensource released under the gpl the ps-dss would have a hard time holding anyone building opencart responsible.BISIdesigns wrote:Can you please elaborate on that more? What do you mean by they are modular and not at the opencart level? Other shopping carts are having to rewrite the payment modules even when they do NOT store credit cards and DO support SSL's in order to pass PA-DSS requirements. According to PA-DSS, the shopping cart vendor is responsible for making sure the payment modules are compliant.Qphoria wrote:PA-DSS typically comes down to the payment modules. They are "modular" so it wouldn't be at the opencart general level.
Authorize.Net is a module that comes in the boxed download of opencart so how is that not on opencart to make sure it is compliant?
Sorry to be a pain but if my customers are do not have warm-fuzzies, they will keep looking.
You can read the GPL here: http://www.gnu.org/copyleft/gpl.html
BISI Designs
Professional Website Design
http://www.bisidesigns.com
-Ryan
the website owner sure, but how is some standards body going to hold a person that is releasing a free cart responsible for anything? Given it's not even a government agency, and even at that we are on the internet which government would it be? If you want to take the cart and sell it then sure maybe you could be held responsible.(and yes this is allowed by the gpl)BISIdesigns wrote: Open source has nothing to do with it. It is he who owns the website and distributes the cart. Open source simply means that the source is not encrypted and is open to the site owner for modification. The GPL does not exempt anyone person from the rules. I am not sure why you would think that.
You can read the GPL here: http://www.gnu.org/copyleft/gpl.html
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
The easy answer, many will just abandon this ship and go else where. Most website owners are not programmers as well. That is why they find a cart that suites their needs. So they do not have to build their own cart or reprogram it every time a problem comes up. They get updates from the cart creator. I guess I have morals and would not ignore something like this but you my friend, must not care about others having problems.Xsecrets wrote:the website owner sure, but how is some standards body going to hold a person that is releasing a free cart responsible for anything? Given it's not even a government agency, and even at that we are on the internet which government would it be? If you want to take the cart and sell it then sure maybe you could be held responsible.(and yes this is allowed by the gpl)BISIdesigns wrote: Open source has nothing to do with it. It is he who owns the website and distributes the cart. Open source simply means that the source is not encrypted and is open to the site owner for modification. The GPL does not exempt anyone person from the rules. I am not sure why you would think that.
You can read the GPL here: http://www.gnu.org/copyleft/gpl.html
The other problem is that any store owner using a non-compliant cart is putting their butt on the line and may be denied a merchant account. Well, that goes back to the abandonment of this ship.
Whether I like the new rules for cc processing or not, the fact of the matter is that they are here and they can affect a store owners business. So we must deal with what is handed to us. And the compliance ... insert choice word here ... is something we have to deal with.
I will wait for Daniel to weigh in but it looks like this will not be what my current customers are looking for since it is not going to pass the new scans. I was hoping it would be as it is a slick cart and user friendly.
BISI Designs
Professional Website Design
http://www.bisidesigns.com
last time one thing was brought up which was that sql error messages are displayed when there is an error.
OpenCart is very stable and very secure.
anyway you can see the pci compliance advertisment ont he right. I surrgeest you contact this company about testing your site if its secure.
also the gpl does state that the creator is not reposbile for you using the script.
actually i think you are full of crap just trying to put people off from using opencart! you have not explained why opencart would not pass.
OpenCart®
Project Owner & Developer.
Now that is the million dollar question... in a sense.Daniel wrote:i'm sorry but at which part does opencart fail?
I have been rounds about this issue with processors about this. And mind you, I just downloaded OC today and have not even finished "setting up store" so I am not ready to run a scan.
However, I just had another site scanned and they said that besides the sql errors, older versions of php, mysql, etc, that there was also something about the way that the data is transmitted from the cart to the merchant processor place. But... they said that their scan does not check the way the data is transmitted. It just looks for security problems in the hosting and the scripts on the hosting. Which at that point I was totally confused and wondered why I had even had them run the scan....
Now, the merchant processors I spoke with, Authorize.Net included. would not say HOW it is supposed to be transmitted or they just flat don't know what all this means either. They said you need an SSL but that the SSL is not enough to make sure the CC info is not hacked. And they said that not storing CC's is not enough.
I personally became more than cross-eyed trying to understand the stuff set by PA-DSS https://www.pcisecuritystandards.org/se ... _dss.shtml
I do believe that you are very dedicated to the OC project. I would be in your shoes too. I believe you are a genuinely honest person and are trying to keep OC user friendly & secure. I have read many of your other posts here. I have no reason to doubt that. Please do not take this as a personal attack as it is not.
I hear flack about this all the time from my customers. Many are running scared about this whole new compliance stuff rolling down the hill. Some are even so scared they are contemplating closing up the idea of doing their online business and going back to work for another company mainly out of fear.
I guess what I need is something that will give them the warm fuzzies they are looking for so they will continue their online businesses (thus keeping you and me in business ).
So I honestly do not know but I do know what customers are freaking out about. I guess they want to see a logo on your site that says "I am PCI-Compliant and have passed through the PA-DSS testing and here is my certificate to show that!"
This is just so confusing and almost crazy.
BISI Designs
Professional Website Design
http://www.bisidesigns.com
https://www.pcisecuritystandards.org/se ... _list.html
BISI Designs
Professional Website Design
http://www.bisidesigns.com
As long as you're not modding the cart it doesn't matter how many products your store has. The framework is the same with 10 or 10,000. If you're really concerned I'd suggest installing the default store and running a scan on that before doing any work at all.BISIdesigns wrote:I have been rounds about this issue with processors about this. And mind you, I just downloaded OC today and have not even finished "setting up store" so I am not ready to run a scan.
Old versions of PHP and MySQL wouldn't be a problem with OpenCart. They'd be a problem with your host.However, I just had another site scanned and they said that besides the sql errors, older versions of php, mysql, etc, that there was also something about the way that the data is transmitted from the cart to the merchant processor place. But... they said that their scan does not check the way the data is transmitted. It just looks for security problems in the hosting and the scripts on the hosting. Which at that point I was totally confused and wondered why I had even had them run the scan....
Scanning companies can't test everything. That's just not possible with an automated system. They just scan for the big things like unsecured directories, SQL injections, exposing source, and the like.
-Ryan
Any cart using php or mysql with a webhost has the exact same main vulnerabilities. A weak password for your cpanel or database or cart or any of the admin entry points can screw you. This is at the user level.
The only thing you can really protect is against XSS and CSRF which falls under PCI-DSS compliance
Nobody has complained of any issues of being hacked.
No sensitive payment data is stored by any mods except one of my payment mods, which is why i say it comes down to the individual modules, not the store. There is a plugin clause somewhere in that document.
Bottom line is, PCI-DSS is up to you and your server. As long as customers see that SSL lock on their browser, they think they are secure and happy to buy. But they have no idea if the admin running that store used "12345" as his backend password.
Very true, but it's the credit card processors that are forcing businesses to use them. I wasted a week jumping through hoops trying to show that, no, an anonymous FTP account that dead-ends and has no read/write/execute permissions is not a "high risk".Qphoria wrote:Seems much like antivirus companies, these PCI scanning companies create a lot of hoopla to scare up business.
They do check cross-site scripting but they don't check CSRF (there's probably no way they really could beyond version checking the cart against known instances). That's why I think anyone parading around those silly "Hacker Safe" insignias has completely lost their marbles. PCI scans are only the absolute minimum you should be doing.The only thing you can really protect is against XSS and CSRF which falls under PCI-DSS.. and the reality is that you don't know if it is until someone hacks it.
-Ryan
ok Mr. moral high ground if you care so much about it where is your certified solution that matches all the regs you mentioned? You could check it all just as easy as I can. As you can see it's VERY complicated and would take loads of time which most people who are working on GPL software don't have. It would probably take months of full time work to go through all those specs and verify everything, and god only knows how long to get an answer back from that regulatory group (if they'll even talk to you) to have it "certified" or whatever.BISIdesigns wrote:I guess I have morals and would not ignore something like this but you my friend, must not care about others having problems.
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
It may be tomorrow, or it may be 5 years from now, but one of these days there will be someone here crying they got hit with the penalty and are losing their business.
Again, I am not saying there is a problem with OC. Quite frankly, I don't know. But it seems no one else does either and someone should. Will the poor soul who first gets caught out of compliance sue Daniel, or anyone else? I have no idea. But the fact remains that there is a possibility of liability being passed on. Not a good thing, even if nothing comes of it.
A Trusted Wholesale Dropshipper
Web Hosting Under $ 5.00 Month! FREE Shopping Carts!
25,000+ Real Wholesale & Dropship Sources!
-Ryan
I totally agree. And moreover it is also a way for gateways to charge you more if you don't have it.Qphoria wrote:Seems much like antivirus companies, these PCI scanning companies create a lot of hoopla to scare up business.
Here is how to get compliant with Opencart.
Step 1. Use a host that touts their ability to be compliant, from my experience most failures on these scans come from php, apache, mysql and firewall (hosting environment).
Step 2. Answer the PCI compliant questionnaire wisely. If you don't know how to answer, find someone who does. It is mostly brainless stuff like, do you have a firewall,does your firewall do stateful inspection, do you store credit card numbers, and so on.
You should be able to pass easily with Opencart. If your scan fails, post it here and let us know.
We have passed on our carts so far.
http://www.tintedpixel.com
Web Centric Creative
Mcafee Says opencart doesn't pass. The way it links to other parts of opencart is open security vuln that can be used to make other sites think your site is connectingrph wrote:But PCI compliance isn't about OpenCart. There are all kinds of things you have to do online and off that have nothing to even do with it. Scanning your cart is just one thing that happens and no one's even shown OpenCart doesn't pass!
Vulnerability Detail
Device xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Vulnerability User specified URL redirection (Open Redirect)
Port 80/tcp
Scan Date 26-OCT-2010 15:18
URL
Protocol http Port 80 Read Timeout 10000 Method POST Demo
Path /index.php
Query route=common/home
Headers Referer=http%3A%2F%2Fxxxxxxxxxxxxxxx%2F
Content-Type=multipart%2Fform-data%3B+boundary%3DX
Body --X Content-Disposition: form-data; name="currency_code" 0 --X Content-Disposition: form-data; name
https://www.lotnllc.com is your one stop shop for all your computer needs!
Users browsing this forum: No registered users and 80 guests