You are viewing this forum as a guest. Login to an existing account, or create a new account, to reply to topics and to create new topics.
Hello
Is ClickCartPro PCI DSS compliant?
Thanks
Offline
Mostly.
Offline
cyberws wrote:
Mostly.
Mostly= No
Thanks for the reply. Do you know if CCP Version 7 will be compliant?
Thanks
Offline
Since the PCI DSS concerns are with the safe storage of customer credit cart information and since ccp in any form does not keep or store that information then the concerns falls on your credit card processor and not you. I would say at most your responsibility is to have and keep a valid security certificate to keep the customers information encrypted when using the site.
John
Offline
dh783 wrote:
Since the PCI DSS concerns are with the safe storage of customer credit cart information and since ccp in any form does not keep or store that information then the concerns falls on your credit card processor and not you. I would say at most your responsibility is to have and keep a valid security certificate to keep the customers information encrypted when using the site.
John
From what is published on the Visa website it would appear that if a merchant collects card details on their site whether they save them or not they are required to be compliant. Please see an extract from the Visa site, http://usa.visa.com/merchants/risk_mana … tions.html
"Visa strongly encourages payment application vendors to develop and validate the conformance of their products to the PA-DSS. PA-DSS compliant applications help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data, and support overall compliance with the PCI DSS. PA-DSS applies only to third-party payment application software that stores, processes or transmits cardholder data as part of an authorization or settlement. PA-DSS does not apply to software applications developed by merchants and agents for in-house use only. These in-house software applications are covered within a merchant or agent’s PCI DSS assessment."
Also from the same page effective 7/1/10
"Acquirers must ensure their merchants, VNPs and agents use only PA compliant applications"
I realize that very few cart are compliant at this time but it surely must be a top priority for cart vendors given the 7/1/10 deadline?
Offline
After looking over the requirements for PA DSS again I have not seen an area in which ccp does not meet them. Some areas are outside the control of ccp as in who has access to the server on which it runs or how you handle card information you may have gotten from the offline payment gateway, both of these ccp has no control over. If you have a specific concern please post it so that someone could do further investigation into the matter.
John
Offline
Fwiw, I just went through this on my site. I'm still running version 5.1, but even with that version, I ran into very few issues that were actually within control of CCP. The only thing that wouldn't pass with 5.1 was the so-called "cross site scripting vulnerability". I know for a fact that version 6.0 does not suffer from that problem, due to extensive checks, thorough cleansing, and strict control of data that is passed through forms. All the rest of my failures were things to do with my server, such as accepting unencrypted FTP connections and things like that. I can't make any "official" claims for CCP6, but from my experience with PCI compliance testing and my knowledge of CCP6, I would be very, very surprised if there were any PCI compliance failures that were due to CCP.
Offline
My v6 CCP software passed PCI Compliance with no problems detected.
Bear in mind, the software is the only thing that has to pass.
Other pieces that have to pass include your host software and hardware, how you handle the cc data offline, how you handle passwords, how you connect to the ecommerce software (e.g., wireless) etc.
your software should pass to prevent injection attacks.
Offline
The biggest thing with CCP and PCI compliance is forcing password changing on a regular basis. If you note systems like Authorize.net force you to reset your password every twoish months (I can't remember the exact time). In addition Anet won't let you use one of your recent passwords. CCP does nothing like this. The other areas of PCI compliance (since CC data isn't stored) are outside of CCP like running a firewall.
Offline
You can "force" passwords in your Standard Operating Procedures manual or Company Policies.
That is acceptable.
Last edited by Blitzen (02-03-2009 12:33:04)
Offline
Authorize.net is one example but my Wells Fargo account password hasn't been changed in two years let alone two months. The most CCP is protecting is your address and phone number and one can get that by googling ones name.
John
Offline
THere are a lot of things outside the realm of CCP that affect PCI compliance. I am battling this now with my own site. My hosting provider won't turn off SSLv2 on my server and that is busting me. They also don't have the latest versino of php installed and I'm getting busted for that too. That one just started yesterday.
The thing that kills me is that for being non-compliant, I am being charged $20 a month. So they really don't mind at all if you are non-compliant. In fact, I would assume they'd prefer that since if everyone was compliant they couldn't assess the fee. It's a bribe, more or less, since they don't actually stop you from doing business. You just have to pay them 20 a month to continue earning a living. Pisses me right off but there's nothgn that can be done other than setting up shop on a new hosting service which can get compliant on their own end, thus allowing us to become compliant. I hate computers!
Offline
dskowron> Does your current host offer VPSes? That would allow you to turn off SSLv2 and upgrade PHP on your own and if its with the same host often hosts will help you move your data.
Offline
cyberws wrote:
dskowron> Does your current host offer VPSes? That would allow you to turn off SSLv2 and upgrade PHP on your own and if its with the same host often hosts will help you move your data.
Yeah, they do. Another 35 a month. It's cheaper to remain uncompliant! Man, they bleed ya dry!
Offline
I see. Well I know there r VPSes out there for $35 a month including a control panel or $30 if you don't need a control panel (or can use webmin). I don't know what you pay for your standard hosting but obviously you are being hit with $20 for sure due to PCI DSS issues.
Offline
I just attending a PA-DSS compliancy webinar by TrustWave and they are saying that any application that accepts credit cards, weather that application is a local application or a web based application, must go through PA-DSS certification process so it can be listed on the wwwpcisecuritystandards.org website for approved applications.
I would suggest contacting TrustWave and make sure CCP doesn't need to get certified.
Offline
PA-DSS is required if cc data touches a server, even for a nanosecond.
To become PA-DSS compliant, the software MUST be certified by a third party.
Thus, CCP is NOT PA-DSS compliant until they get the certification.
Offline