Post by matthewbaynham » Thu Feb 06, 2020 2:13 am

Does anyone have a web link to the security requirements I need to satisfy in order to process transactions on my server?

I'm just starting out and I'm trying to plan things before setting up my server. So if the security requirements for running my own server are too complex I'll just look for another solution, like having a webshop on an existing platform. However if the security requirements are not too difficult then it would be nice to run my own server and manage everything myself.

So I'm interested web links for security requirements for credit card transactions and payment gateways in general. And any tips.


Posts

Joined
Fri Nov 01, 2019 9:18 pm

Post by Johnathan » Thu Feb 06, 2020 3:05 am

You basically just need to get an SSL certificate on your server (which you can ask your web host to install for you). They usually run around $50 - $100 per year, though you can get a free one from Let's Encrypt if you know how to install one yourself. Your web host might help you with one like that, but it depends on how nice they are.

Once you have that installed, you can change the HTTPS_SERVER constants in config.php and admin/config.php to use your https URLs, then turn on SSL in the System > Settings area (it's in the Server tab). That should get your account, cart, and checkout pages using https, so they're secure for payments.

Beyond that, you'd just need to make sure you get a payment extension that's specifically designed for your payment processor. OpenCart comes with a few popular ones like Authorize.net., Square, and PayPal Standard (which doesn't actually require an SSL certificate, by the way) or you can find third-party extensions in the opencart.com marketplace (https://www.opencart.com/index.php?rout ... /extension). If you use Stripe or Braintree, I have extensions for those here:

• Stripe Payment Gateway
• Braintree Payment Gateway

Hope that helps

Image
Image Image Image Image


User avatar
Global Moderator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by johnp » Thu Feb 06, 2020 6:28 pm

I use the Let's Encrypt SSL on all my sites. My host installs it for free on reqest. It's works fine.

Opencart 1.5.6.5/OC Bootstrap Pro/VQMOD 2.6.1 lover, user and geek.
Affordable Service £££ - Opencart Installs, Fixing, Development and Upgrades
Plus Ecommerce, Marketing, Mailing List Management and More
FREE Guidance and Advice at https://www.ecommerce-help.co.uk


User avatar
Active Member

Posts

Joined
Fri Mar 25, 2011 10:25 am
Location - Surrey, UK

Post by OSWorX » Thu Feb 06, 2020 7:19 pm

johnp wrote:
Thu Feb 06, 2020 6:28 pm
I use the Let's Encrypt SSL on all my sites.
This type of a SSL-Certificate maybe cheap (in term of cost, it dos not cost anything because free), but it IS cheap.
And is used worldwide by many fakeshops.
Because using https only, says nothing about the website owner and/or the security of a Webshop!
Better to use for Webshops a "real" SSL-Certificate, issued on the Website it is used or the Owner of the shop.
The cost for that start by around 25,- Euro per year, if you do not have that money, better let it!

So, if you want to build trust and confidence, avoid to use Let's Encrypt Certificates at Webshops.
They maybe good for simple personal sites build with a CMS.

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by matthewbaynham » Thu Feb 06, 2020 10:30 pm

I've found out about the PCI Security Standards Council and it seems to be a little more robust than just using an SSL.

https://www.pcisecuritystandards.org

Why is their document library so extensive if the only thing I need to do is manage an SSL?

Looks like the PCI SSC is saying it's complicated and you guys are saying it's easy.

Wikipedia says a few things https://en.wikipedia.org/wiki/Payment_C ... y_Standard

Does the PCI SSC just not apply if you have transactions going through extensions? Or do the payment extensions store the data?

Why is there a mismatch between them and you?


Posts

Joined
Fri Nov 01, 2019 9:18 pm

Post by Johnathan » Thu Feb 06, 2020 10:59 pm

PCI Compliance is generally only required if you're handling card data on your server. Most payment gateways these days have ways to avoid doing that, so you only need the very lowest level of PCI Compliance (which most servers meet). It depends on what payment gateway you're using, but most good ones will handle the card data themselves. For example, Stripe uses a javascript library to send the card data to their servers, where it tokenizes it, and then the OpenCart extension sends the token to your server to process the transaction. It avoids card data touching your server, so you don't really need to worry about PCI Compliance.

Of course, you can certainly work on making your server have a higher level of PCI Compliance if you want, but it's a lot of work. I'd recommend hiring someone who knows what they're doing if you want to go that route. If you need to find a developer, you can post a request in the OpenCart "Commercial Support" forum, which is checked by a number of OpenCart developers. You can also try checking out the OpenCart "Partners" area.

Image
Image Image Image Image


User avatar
Global Moderator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by OSWorX » Thu Feb 06, 2020 11:41 pm

matthewbaynham wrote:
Thu Feb 06, 2020 10:30 pm
I've found out about the PCI Security Standards Council and it seems to be a little more robust than just using an SSL.

https://www.pcisecuritystandards.org

Why is their document library so extensive if the only thing I need to do is manage an SSL?

Looks like the PCI SSC is saying it's complicated and you guys are saying it's easy.

Wikipedia says a few things https://en.wikipedia.org/wiki/Payment_C ... y_Standard

Does the PCI SSC just not apply if you have transactions going through extensions? Or do the payment extensions store the data?

Why is there a mismatch between them and you?
Security and "how to use a website to be security" is never easy!
Nobody said that ever.

But what is "easy", is to follow serious advices.
If I say "do not use a SSL-Certificate" when it is from Let's Encrypt, I have already said why.
If I say "do not use scripts, extensions, templates" from obscure sources, you (and everybody) should follow that advice!
If I say "do not use obscured/encrypted" extensions, you (and everybody) should follow that advice!


Being long enough in the scene, I know why I tell you that.
Beside a few other serious guys here, we have to handle with "Security" every day.
It is part of our "business" we take very serious.

When you say " .. mismatch between them and you .." you have to know what you are saying.
As Jonathan already mentioned, PCI (and following that standard) is only required if you (your system) handles payment data on your own server.
Of course, if you have enough money (around 1 Mio. Euro), the knowledge and a few more things), you could meet that standard.
But is not required.

Because here comes the "other" part (the easy) in play.
As said above, follow the most important 3 advices.

As a fourth action could be (if you know how to do), inspect the code of the payment extension.
What I am sometimes discovering is, that some of them are doing so called "License Checks".
Mean, they are calling home ..
Not only once, the worst of them also sending customer and payment data to a Gmail address.

Another security measure is, not to operate something like Wordpress on the same server under the same account !
Why?
The moment WP is not really updated and a security hole is open there, your complete server is open and infected.
This is what a hacker need to place some scripts on your server sending all payment data to China, Russia and somewhere!

So, always operate the Webshop with OpenCart as the only instance on your server account!

Next, if you give someone (e.g. a developer) access to the server (e.g. FTP), be sure that you can trust him/her/it.
I for myself would never let a person on my server I have only a Gmailadresss or a Skypeaddress only.
Verify first who he/she/it is.

Same goes for access to the backend.
If you do not know the person very well, don't let em in!

You see, security is not only installing a SSL-Certificate.
There is quite more .. but following the "basics" of security is .. easy.

Because at the end, you are responsible for all the data and the security!
Nobody else.

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by matthewbaynham » Thu Feb 13, 2020 9:41 pm

I've been reading the PCI documentation and it looks like everyone who is running a webshop needs to be PCI compliant. Most companies will be small enough to be classified as compliant level 4 (unless you have over 20,000 transactions per year, plus other criteria), so they will only have to do a SAQ (Self-Assessment Questionnaire).

(For compliant levels see https://en.wikipedia.org/wiki/Payment_C ... y_Standard but I can't find this on the PCI own website.)

https://www.pcisecuritystandards.org/merchants/
At the bottom "Do small merchants with limited transaction volumes need to comply with PCI DSS?" answer "PCI DSS is intended for all entities involved in payment processing, including merchants, regardless of their size or transaction volume. " ... it goes on.

I haven't yet figured out if SAQ A or SAQ A-EP applies.

Instructions
https://www.pcisecuritystandards.org/do ... 1581911306
https://www.pcisecuritystandards.org/do ... 1581911316

Questionnaires
SAQ A
https://www.pcisecuritystandards.org/do ... 1581911328
SAQ A-EP
https://www.pcisecuritystandards.org/do ... 1581911346

If anyone knows whether SAQ A or SAQ A-EP applies then can you explain?


Posts

Joined
Fri Nov 01, 2019 9:18 pm
Who is online

Users browsing this forum: No registered users and 6 guests