Kryptronic Software Support Forum

You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.

#1 01-20-2009 04:15:24

Photo
Member
Registered: 09-17-2008
Posts: 4

PCI DSS Compliant

Hello
Is ClickCartPro PCI DSS compliant?


Thanks

Offline

 

#2 01-20-2009 13:47:20

cyberws
Member
From: Atlanta, GA
Registered: 02-05-2004
Posts: 756

Re: PCI DSS Compliant

Mostly.


Jeremy O

Production CCP .:. Version 6 w/QuickBuy and many in house hacks
Skills: PHP & Perl programming, Solaris & Linux server administration, Oracle OCP training and MySQL experience

Offline

 

#3 01-22-2009 08:50:10

Photo
Member
Registered: 09-17-2008
Posts: 4

Re: PCI DSS Compliant

cyberws wrote:

Mostly.

Mostly= No
Thanks for the reply. Do you know if CCP Version 7 will be compliant?


Thanks

Offline

 

#4 01-22-2009 09:29:41

dh783
Member
From: Avondale, Arizona
Registered: 04-06-2005
Posts: 6233
Website

Re: PCI DSS Compliant

Since the PCI DSS concerns are with the safe storage of customer credit cart information and since ccp in any form does not keep or store that information then the concerns falls on your credit card processor and not you. I would say at most your responsibility is to have and keep a valid security certificate to keep the customers information encrypted when using the site.

John

Offline

 

#5 01-22-2009 11:00:59

Photo
Member
Registered: 09-17-2008
Posts: 4

Re: PCI DSS Compliant

dh783 wrote:

Since the PCI DSS concerns are with the safe storage of customer credit cart information and since ccp in any form does not keep or store that information then the concerns falls on your credit card processor and not you. I would say at most your responsibility is to have and keep a valid security certificate to keep the customers information encrypted when using the site.

John

From what is published on the Visa website it would appear that if a merchant collects card details on their site whether they save them or not they are required to be compliant. Please see an extract from the Visa site, http://usa.visa.com/merchants/risk_mana … tions.html

"Visa strongly encourages payment application vendors to develop and validate the conformance of their products to the PA-DSS. PA-DSS compliant applications help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data, and support overall compliance with the PCI DSS. PA-DSS applies only to third-party payment application software that stores, processes or transmits cardholder data as part of an authorization or settlement. PA-DSS does not apply to software applications developed by merchants and agents for in-house use only. These in-house software applications are covered within a merchant or agent’s PCI DSS assessment."

Also from the same page effective 7/1/10

"Acquirers must ensure their merchants, VNPs and agents use only PA compliant applications"

I realize that very few cart are compliant at this time but it surely must be a top priority for cart vendors given the 7/1/10 deadline?

Offline

 

#6 01-22-2009 12:40:39

dh783
Member
From: Avondale, Arizona
Registered: 04-06-2005
Posts: 6233
Website

Re: PCI DSS Compliant

After looking over the requirements for PA DSS again I have not seen an area in which ccp does not meet them. Some areas are outside the control of ccp as in who has access to the server on which it runs or how you handle card information you may have gotten from the offline payment gateway, both of these ccp has no control over. If  you have a specific concern please post it so that someone could do further investigation into the matter.

John

Offline

 

#7 01-22-2009 12:59:29

rachaelseven
Member
From: Massachusetts, USA
Registered: 01-23-2006
Posts: 3169
Website

Re: PCI DSS Compliant

Fwiw, I just went through this on my site.  I'm still running version 5.1, but even with that version, I ran into very few issues that were actually within control of CCP.  The only thing that wouldn't pass with 5.1 was the so-called "cross site scripting vulnerability".  I know for a fact that version 6.0 does not suffer from that problem, due to extensive checks, thorough cleansing, and strict control of data that is passed through forms.  All the rest of my failures were things to do with my server, such as accepting unencrypted FTP connections and things like that.  I can't make any "official" claims for CCP6, but from my experience with PCI compliance testing and my knowledge of CCP6, I would be very, very surprised if there were any PCI compliance failures that were due to CCP.


Rachael Katz
- Custom Focusing Screens for DSLR Cameras

Offline

 

#8 01-22-2009 14:10:21

Blitzen
Member
From: USA
Registered: 01-01-2005
Posts: 936

Re: PCI DSS Compliant

My v6 CCP software passed PCI Compliance with no problems detected.

Bear in mind, the software is  the only thing that has to pass.
Other pieces that have to pass include your host software and hardware, how you handle the cc data offline, how you handle passwords, how you connect to the ecommerce software (e.g., wireless) etc.

your software should pass to prevent injection attacks.

Offline

 

#9 01-22-2009 17:51:33

cyberws
Member
From: Atlanta, GA
Registered: 02-05-2004
Posts: 756

Re: PCI DSS Compliant

The biggest thing with CCP and PCI compliance is forcing password changing on a regular basis.  If you note systems like Authorize.net force you to reset your password every twoish months (I can't remember the exact time).  In addition Anet won't let you use one of your recent passwords.  CCP does nothing like this.  The other areas of PCI compliance (since CC data isn't stored) are outside of CCP like running a firewall.


Jeremy O

Production CCP .:. Version 6 w/QuickBuy and many in house hacks
Skills: PHP & Perl programming, Solaris & Linux server administration, Oracle OCP training and MySQL experience

Offline

 

#10 02-03-2009 12:32:14

Blitzen
Member
From: USA
Registered: 01-01-2005
Posts: 936

Re: PCI DSS Compliant

You can "force" passwords in your Standard Operating Procedures manual or Company Policies.
That is acceptable.

Last edited by Blitzen (02-03-2009 12:33:04)

Offline

 

#11 02-03-2009 12:59:52

dh783
Member
From: Avondale, Arizona
Registered: 04-06-2005
Posts: 6233
Website

Re: PCI DSS Compliant

Authorize.net is one example but my Wells Fargo account password hasn't been changed in two years let alone two months. The most CCP is protecting is your address and phone number and one can get that  by googling ones name.

John

Offline

 

#12 02-23-2009 14:09:10

dskowron
Member
Registered: 11-26-2008
Posts: 142

Re: PCI DSS Compliant

THere are a lot of things outside the realm of CCP that affect PCI compliance. I am battling this now with my own site. My hosting provider won't turn off SSLv2 on my server and that is busting me. They also don't have the latest versino of php installed and I'm getting busted for that too. That one just started yesterday.

The thing that kills me is that for being non-compliant, I am being charged $20 a month. So they really don't mind at all if you are non-compliant. In fact, I would assume they'd prefer that since if everyone was compliant they couldn't assess the fee. It's a bribe, more or less, since they don't actually stop you from doing business. You just have to pay them 20 a month to continue earning a living. Pisses me right off but there's nothgn that can be done other than setting up shop on a new hosting service which can get compliant on their own end, thus allowing us to become compliant. I hate computers!

Offline

 

#13 02-23-2009 14:40:12

cyberws
Member
From: Atlanta, GA
Registered: 02-05-2004
Posts: 756

Re: PCI DSS Compliant

dskowron> Does your current host offer VPSes? That would allow you to turn off SSLv2 and upgrade PHP on your own and if its with the same host often hosts will help you move your data.


Jeremy O

Production CCP .:. Version 6 w/QuickBuy and many in house hacks
Skills: PHP & Perl programming, Solaris & Linux server administration, Oracle OCP training and MySQL experience

Offline

 

#14 02-23-2009 14:42:29

dskowron
Member
Registered: 11-26-2008
Posts: 142

Re: PCI DSS Compliant

cyberws wrote:

dskowron> Does your current host offer VPSes? That would allow you to turn off SSLv2 and upgrade PHP on your own and if its with the same host often hosts will help you move your data.

Yeah, they do. Another 35 a month. It's cheaper to remain uncompliant! Man, they bleed ya dry!

Offline

 

#15 02-23-2009 14:47:15

cyberws
Member
From: Atlanta, GA
Registered: 02-05-2004
Posts: 756

Re: PCI DSS Compliant

I see.  Well I know there r VPSes out there for $35 a month including a control panel or $30 if you don't need a control panel (or can use webmin).  I don't know what you pay for your standard hosting but obviously you are being hit with $20 for sure due to PCI DSS issues.


Jeremy O

Production CCP .:. Version 6 w/QuickBuy and many in house hacks
Skills: PHP & Perl programming, Solaris & Linux server administration, Oracle OCP training and MySQL experience

Offline

 

#16 04-30-2010 17:12:21

citapinc
Member
Registered: 08-16-2008
Posts: 61

Re: PCI DSS Compliant

I just attending a PA-DSS compliancy webinar by TrustWave and they are saying that any application that accepts credit cards, weather that application is a local application or a web based application, must go through PA-DSS certification process so it can be listed on the wwwpcisecuritystandards.org website for approved applications.

I would suggest contacting TrustWave and make sure CCP doesn't need to get certified.

Offline

 

#17 08-18-2010 09:31:55

Blitzen
Member
From: USA
Registered: 01-01-2005
Posts: 936

Re: PCI DSS Compliant

PA-DSS is required if cc data touches a server, even for a nanosecond.

To become PA-DSS compliant, the software MUST be certified by a third party.

Thus, CCP is NOT PA-DSS compliant until they get the certification.

Offline

 

Board footer