I am nearing the end of a long and somewhat painful PCI compliance scan process. This has been educational and time consuming. One of the final issues seems to perhaps be an OpenCart driven issue so I'm throwing it out here. Currently we are on 1.5.6.4 using the default theme. I am waiting to move to version 2 when things on our end settle down.
The issue is this. I need to disable "autocomplete" for all sensitive fields.
The description in the issue says this:
Disable autocomplete for all sensitive fields. For each sensitive field in the HTML, set the "autocomplete" attribute to "off". For example <input type="password" autocomplete="off" name="pw">
It goes on to say that if there are many fields, you can set autocomplete to off in the outer <form> tag.
I don't want to much with my core pages only to have to re-do them again later when I upgrade.
Is there a way to do this without crawling through my templates? Perhaps an admin setting?
Also, is there a list of pages this impacts? I'm thinking it must apply to admin login but can't think of other places where it applies.
Thanks
john
It all comes down to the individual payment modules. I've created a vQmod to do this (Attached)
Unless they are saying you should do that for the address fields too? I've never heard of a PCI compliance requiring that, but I've added that as a separate script as well
Not tested so let me know.. should technically work with any version of opencart.
Unless they are saying you should do that for the address fields too? I've never heard of a PCI compliance requiring that, but I've added that as a separate script as well
Not tested so let me know.. should technically work with any version of opencart.
Attachments
Man, you've gotta love PCI.
1. This is an end-user/browser issue, not a website issue.
2. Modern browsers don't even honor autocomplete anymore.
The PCI assessor will probably never listen to that so I'd just update the templates. The files are at:
/catalog/view/theme/default/template/account/login.tpl
/catalog/view/theme/default/template/checkout/login.tpl
You may also have to make the changes on admin depending on if their scans picked it up:
/admin/view/template/common/login.tpl
1. This is an end-user/browser issue, not a website issue.
2. Modern browsers don't even honor autocomplete anymore.
The PCI assessor will probably never listen to that so I'd just update the templates. The files are at:
/catalog/view/theme/default/template/account/login.tpl
/catalog/view/theme/default/template/checkout/login.tpl
You may also have to make the changes on admin depending on if their scans picked it up:
/admin/view/template/common/login.tpl
-Ryan
Ryan,
Thanks very much. I'm doing email with PCI folks now so will try it. Otherwise I'll make the change manually.
"Man, you've gotta love PCI." Well, it's a dark kind of love.I appreciate it as a consumer but as a non-server guy, this has been a journey. For the most part, the hours have been educational and therefore worth it but man-o-man, what a journey.
I doubled up on my pain by trying to implement Cloudflare. Right out of the box I have a name mismatch with my SSL certificate. Since I don't pay Cloudflare for a Business or Enterprise level membership, I can't upload our SSL certificate. The dual names gives us a false positive on a PCI compliance scan so I've requested an exception.
Then there was a series of stuff getting cloudflare working at all that had to do with my not having HTTPS in my OpenCart config files properly using the "s" in the URL string. Not part of the PCI issue technically but tangled in the mess and also educational.
Now I'm down to a cookie not being secure.
On the up side, I didn't know our install was using an old copy of PHP at the host so PCI compliance took me to school on some regular update items that needed handling.
Oye.
I appreciate your help on this one.
john
Thanks very much. I'm doing email with PCI folks now so will try it. Otherwise I'll make the change manually.
"Man, you've gotta love PCI." Well, it's a dark kind of love.I appreciate it as a consumer but as a non-server guy, this has been a journey. For the most part, the hours have been educational and therefore worth it but man-o-man, what a journey.
I doubled up on my pain by trying to implement Cloudflare. Right out of the box I have a name mismatch with my SSL certificate. Since I don't pay Cloudflare for a Business or Enterprise level membership, I can't upload our SSL certificate. The dual names gives us a false positive on a PCI compliance scan so I've requested an exception.
Then there was a series of stuff getting cloudflare working at all that had to do with my not having HTTPS in my OpenCart config files properly using the "s" in the URL string. Not part of the PCI issue technically but tangled in the mess and also educational.
Now I'm down to a cookie not being secure.
On the up side, I didn't know our install was using an old copy of PHP at the host so PCI compliance took me to school on some regular update items that needed handling.
Oye.
I appreciate your help on this one.
john
Who is online
Users browsing this forum: No registered users and 7 guests
