Difference between revisions of "X-Cart:PCI-DSS"

From X-Cart 4 Classic
Jump to: navigation, search
(Configuring X-Cart to meet PCI-DSS with X-Payments application)
m (Outsource all processing and transmission of cardholder data (optional))
Line 94: Line 94:
 
{{Note1|Disabling background payment methods is not required to comply with PCI-DSS but is recommended to eliminate any possible risk of compromising cardholder data.}}
 
{{Note1|Disabling background payment methods is not required to comply with PCI-DSS but is recommended to eliminate any possible risk of compromising cardholder data.}}
  
If you want credit card data to be entered on X-Cart side, it's necessary to make sure that your store is implemented in a PCI-compliant hosting environment and your X-Cart is set up in a PCI-compliant manner, i.e. you use a PA-DSS certified software to process credit card payments. Our [[X-Payments:User_manual#Introduction  X-Payments]] solution is PA-DSS certified and you can use it to allow your customer to enter credit card data on your site. You'll have to fill out PCI [https://www.pcisecuritystandards.org/pdfs/pci_saq_c.pdf SAQ C] in this case.
+
If you want credit card data to be entered on X-Cart side, it's necessary to make sure that your store is implemented in a PCI-compliant hosting environment and your X-Cart is set up in a PCI-compliant manner, i.e. you use a PA-DSS certified software to process credit card payments. You'll have to fill out PCI [https://www.pcisecuritystandards.org/pdfs/pci_saq_c.pdf SAQ C] in this case.
  
 
==Configuring X-Cart to meet PCI-DSS with X-Payments application==
 
==Configuring X-Cart to meet PCI-DSS with X-Payments application==

Revision as of 11:22, 14 October 2010

X-Cart 4.0or above

PCI Compliance is increasingly important to all online store owners, and X-Cart can be implemented to meet this standard. Follow the steps when implementing X-Cart in a PCI compliant manner.

Note: X-Cart is not certified and can not be configured to meet PCI if unmasked credit card numbers are stored in the database

About PCI DSS

PCI DSS stands for Payment Card Industry Data Security Standard, which is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.

PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.

Build and Maintain a Secure Network
  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
  • Requirement 12: Maintain a policy that addresses information security

To get familiar with aspects of implementing PCI-DSS please study the Braintree PCI-DSS compliance Quick Guide

Configuring X-Cart to meet PCI DSS (cardholder data is not stored)

Disable collecting of credit card data at user registration

If forced, X-Cart can collect customers' credit card details during registration. This is controlled via two check boxes in the section General Settings / General Options of the Admin area:

  • Do not ask customers to enter CC information while getting registered: Defines if a customer will be asked to provide credit card details during registration;
  • Display CVV2 input box on the registration form and at the last stage of checkout if Manual CC processing is used...: Defines if a customer will be asked to provide CVV2 during registration.

Asking for credit card data during registration must be disabled as shown in the picture below.

X-paymentsconnector 01.png

Disable storing credit card data in X-Cart database

If forced, X-Cart can store valuable credit card data in an encrypted database. This is controlled via three variables in the main configuration file <xcart_dir>/config.php. You must set the value of all the three variables to false (which is the default setting), and no credit card will be stored in the X-Cart database then.

# file <xcart_dir>/config.php

$store_cc = false
$store_ch = false
$store_cvv2 = false

Remove historical data

Removing historical data, such as card validation codes and other credit card information after the orders using it have been processed and completed, is absolutely necessary for PCI DSS compliance. To remove this data use the Summary > Tools section of X-Cart admin back-end.

Disable Subscriptions module

When the built-in X-Cart module Subscriptions is enabled, X-Cart keeps credit card data stored in its database. Follow these steps to disable the module:

  1. Log in to the X-Cart Admin area.
  2. Go to the section Modules (Administration module -> Modules)
  3. Deselect the check box for the entry Subscriptions.
  4. Click the Update button at the bottom of the page to save the changes.

Outsource all processing and transmission of cardholder data (optional)

The easiest way to deal with PCI-DSS compliance is to use web-based payment gateways to eliminate the need for customers to enter credit card details on your web-site and thus reduce efforts on meeting PCI-DSS compliance requirements. X-Cart is secure and supports quite a number of such “offsite” payment gateways like Paypal Express Checkout, Google Checkout, WorldPay, 2Checkout, Authorize.net SIM and many more.

If your store has a background payment method enabled, customers input their credit card data on the X-Cart side at the final step of checkout. It is recommended to disable background payment methods using the Settings menu -> Payment methods section of the X-Cart admin back-end. In this case you'll have to fill out the simplest of PCI Self-Assessment Questionnaires (SAQ A).

Disabling background payment methods is not required to comply with PCI-DSS but is recommended to eliminate any possible risk of compromising cardholder data.

If you want credit card data to be entered on X-Cart side, it's necessary to make sure that your store is implemented in a PCI-compliant hosting environment and your X-Cart is set up in a PCI-compliant manner, i.e. you use a PA-DSS certified software to process credit card payments. You'll have to fill out PCI SAQ C in this case.

Configuring X-Cart to meet PCI-DSS with X-Payments application

X-Cart 4.1.12or above

To be sure that cardholder data is entered and transmitted securely on your website during the checkout, it's recommended to use X-Payments application along with X-Cart. Examine the following pages on how to setup secure PCI-DSS compliant environment:

Respectively PCI SAQ C must be completed.

See also