Difference between revisions of "X-Cart:PCI-DSS"
(→Disable background payment methods) |
|||
Line 42: | Line 42: | ||
== Simplifying PCI DSS compliance == | == Simplifying PCI DSS compliance == | ||
− | Bringing the whole system into full PCI DSS compliance is rather a resource-consuming task that can hardly be completely implemented by small and medium businesses because it stipulates that the compliance must cover all components of the system. This gives rise to a common misconception about PCI DSS that is that the requirements must be met across all applications in the payment transaction flow without exception. In reality, the standard only applies to the components that store, transmit and process cardholder data, and is not applicable to other components if they are logically isolated. Therefore, a common practice is to take a web store itself out of PCI DSS scope (i.e. | + | Bringing the whole system into full PCI DSS compliance is rather a resource-consuming task that can hardly be completely implemented by small and medium businesses because it stipulates that the compliance must cover all components of the system. This gives rise to a common misconception about PCI DSS that is that the requirements must be met across all applications in the payment transaction flow without exception. In reality, the standard only applies to the components that store, transmit and process cardholder data, and is not applicable to other components if they are logically isolated. Therefore, a common practice is to take a web store itself out of PCI DSS scope (i.e. outsource all processing, transmission and storage of cardholder data) and arrange certified third-party services and providers that do have adequate resources to ensure full PCI DSS compliance of their products and services: compliant hosting provider, compliant payment application and payment gateway, etc. |
− | + | In case you want cardholder data to be entered on X-Cart side it's necessary to make sure that your store is implemented in a PCI-compliant hosting environment. | |
== Configuring X-Cart to meet PCI DSS == | == Configuring X-Cart to meet PCI DSS == | ||
Line 63: | Line 63: | ||
=== Disable storing credit card data in X-Cart database === | === Disable storing credit card data in X-Cart database === | ||
− | If forced, X-Cart can store valuable credit card data in an encrypted database. This | + | If forced, X-Cart can store valuable credit card data in an encrypted database. This is controlled via three variables in the main configuration file <tt><u><xcart_dir>/config.php</u></tt>. You must set the value of all the three variables to false (which is the default setting), and no credit card will be stored in the X-Cart database then. |
<source> | <source> | ||
Line 77: | Line 77: | ||
Removing historical data, such as card validation codes and other credit card information after the orders using it have been processed and completed, is absolutely necessary for PCI DSS compliance. To remove this data use the <u>Summary > Tools</u> section of X-Cart admin back-end. | Removing historical data, such as card validation codes and other credit card information after the orders using it have been processed and completed, is absolutely necessary for PCI DSS compliance. To remove this data use the <u>Summary > Tools</u> section of X-Cart admin back-end. | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
=== Disable Subscriptions module === | === Disable Subscriptions module === | ||
− | When the built-in X-Cart module [[X-Cart:Subscriptions|Subscriptions]] is enabled, X-Cart keeps credit card data in its database | + | When the built-in X-Cart module [[X-Cart:Subscriptions|Subscriptions]] is enabled, X-Cart keeps credit card data in its database. Follow these steps to disable the module: |
# Log in to the X-Cart Admin area. | # Log in to the X-Cart Admin area. | ||
Line 92: | Line 86: | ||
# Deselect the check box for the entry '''Subscriptions'''. | # Deselect the check box for the entry '''Subscriptions'''. | ||
# Click the '''Update''' button at the bottom of the page to save the changes. | # Click the '''Update''' button at the bottom of the page to save the changes. | ||
+ | |||
+ | === Outsource all processing, transmission and storage of cardholder data (optional) === | ||
+ | |||
+ | When using a background payment method, customers input their credit card data on the X-Cart side at the final step of checkout. To minimize risks of compromising cardholder data it is recommended to disable background payment methods. This can be done using the <u>Settings menu -> Payment methods</u> section of the X-Cart admin back-end. In this case you'll have to fill out the simplest of PCI-DSS Self-Assessment Questionnaires ("SAQ A"). | ||
+ | |||
+ | ==See also== | ||
+ | |||
+ | * [https://www.pcisecuritystandards.org PCI Security Standards Council website] | ||
+ | * [http://www.braintreepaymentsolutions.com/assets/308/PCI-Compliance.pdf Braintree PCI-DSS compliance Quick Guide] | ||
[[Category:X-Cart user manual]] | [[Category:X-Cart user manual]] |
Revision as of 18:38, 29 March 2010
Contents
About PCI DSS
PCI DSS stands for Payment Card Industry Data Security Standard, which is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.
Build and Maintain a Secure Network |
|
Protect Cardholder Data |
|
Maintain a Vulnerability Management Program |
|
Implement Strong Access Control Measures |
|
Regularly Monitor and Test Networks |
|
Maintain an Information Security Policy |
|
Simplifying PCI DSS compliance
Bringing the whole system into full PCI DSS compliance is rather a resource-consuming task that can hardly be completely implemented by small and medium businesses because it stipulates that the compliance must cover all components of the system. This gives rise to a common misconception about PCI DSS that is that the requirements must be met across all applications in the payment transaction flow without exception. In reality, the standard only applies to the components that store, transmit and process cardholder data, and is not applicable to other components if they are logically isolated. Therefore, a common practice is to take a web store itself out of PCI DSS scope (i.e. outsource all processing, transmission and storage of cardholder data) and arrange certified third-party services and providers that do have adequate resources to ensure full PCI DSS compliance of their products and services: compliant hosting provider, compliant payment application and payment gateway, etc.
In case you want cardholder data to be entered on X-Cart side it's necessary to make sure that your store is implemented in a PCI-compliant hosting environment.
Configuring X-Cart to meet PCI DSS
PCI Compliance is increasingly important to all online store owners, and X-Cart can be implemented to meet this standard. Follow the steps when implementing X-Cart in a PCI compliant manner.
Disable collecting of credit card data
If forced, X-Cart can collect customers' credit card details during registration. This functionality is controlled via two check boxes in the section General Settings / General Options of the Admin area:
- Do not ask customers to enter CC information while getting registered: Defines if a customer will be asked to provide credit card details during registration;
- Display CVV2 input box on the registration form and at the last stage of checkout if Manual CC processing is used...: Defines if a customer will be asked to provide CVV2 during registration.
Asking for credit card data during registration must be disabled as shown in the picture below.
Disable storing credit card data in X-Cart database
If forced, X-Cart can store valuable credit card data in an encrypted database. This is controlled via three variables in the main configuration file <xcart_dir>/config.php. You must set the value of all the three variables to false (which is the default setting), and no credit card will be stored in the X-Cart database then.
# file <xcart_dir>/config.php
$store_cc = false
$store_ch = false
$store_cvv2 = false
Remove historical data
Removing historical data, such as card validation codes and other credit card information after the orders using it have been processed and completed, is absolutely necessary for PCI DSS compliance. To remove this data use the Summary > Tools section of X-Cart admin back-end.
Disable Subscriptions module
When the built-in X-Cart module Subscriptions is enabled, X-Cart keeps credit card data in its database. Follow these steps to disable the module:
- Log in to the X-Cart Admin area.
- Go to the section Modules (Administration module -> Modules)
- Deselect the check box for the entry Subscriptions.
- Click the Update button at the bottom of the page to save the changes.
Outsource all processing, transmission and storage of cardholder data (optional)
When using a background payment method, customers input their credit card data on the X-Cart side at the final step of checkout. To minimize risks of compromising cardholder data it is recommended to disable background payment methods. This can be done using the Settings menu -> Payment methods section of the X-Cart admin back-end. In this case you'll have to fill out the simplest of PCI-DSS Self-Assessment Questionnaires ("SAQ A").