Difference between revisions of "X-Cart:PCI-DSS"

From X-Cart 4 Classic
Jump to: navigation, search
 
(63 intermediate revisions by 6 users not shown)
Line 1: Line 1:
 +
#REDIRECT [[X-Cart:PCI DSS]]
 +
 +
{{XC 4.0|or above}}
 +
__TOC__
 +
 +
PCI Compliance is increasingly important to all online store owners, and X-Cart can be implemented to meet this standard. Follow the steps when implementing X-Cart in a PCI compliant manner.
 +
 
== About PCI DSS ==
 
== About PCI DSS ==
  
 
PCI DSS stands for Payment Card Industry Data Security Standard, which is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.
 
PCI DSS stands for Payment Card Industry Data Security Standard, which is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.
  
PCI DSS specifies 12 requirements for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.
+
PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.
 +
 
 +
{| class="wikitable"
 +
|-
 +
| Build and Maintain a Secure Network
 +
|
 +
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data
 +
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
 +
|-
 +
| Protect Cardholder Data
 +
|
 +
* Requirement 3: Protect stored cardholder data
 +
* Requirement 4: Encrypt transmission of cardholder data across open, public networks
 +
|-
 +
| Maintain a Vulnerability Management Program
 +
|
 +
* Requirement 5: Use and regularly update anti-virus software
 +
* Requirement 6: Develop and maintain secure systems and applications
 +
|-
 +
| Implement Strong Access Control Measures
 +
|
 +
* Requirement 7: Restrict access to cardholder data by business need-to-know
 +
* Requirement 8: Assign a unique ID to each person with computer access
 +
* Requirement 9: Restrict physical access to cardholder data
 +
|-
 +
| Regularly Monitor and Test Networks
 +
|
 +
* Requirement 10: Track and monitor all access to network resources and cardholder data
 +
* Requirement 11: Regularly test security systems and processes
 +
|-
 +
| Maintain an Information Security Policy
 +
|
 +
* Requirement 12: Maintain a policy that addresses information security
 +
|}
 +
 
 +
To get familiar with aspects of implementing PCI DSS please study the [https://www.braintreepaymentsolutions.com/assets/308/PCI-Compliance.pdf Braintree PCI DSS compliance Quick Guide]
 +
 
 +
== Configuring X-Cart to meet PCI DSS (cardholder data is not stored)==
 +
 
 +
=== Disable collecting of credit card data at user registration ===
 +
 
 +
If forced, X-Cart can collect customers' credit card details during registration. This is controlled via two check boxes in the section <u>General Settings / General Options</u> of the Admin area:
  
== Simplifying PCI DSS compliance ==
+
* '''Do not ask customers to enter CC information while getting registered''': Defines if a customer will be asked to provide credit card details during registration;
 +
* '''Display CVV2 input box on the registration form and at the last stage of checkout if Manual CC processing is used...''': Defines if a customer will be asked to provide CVV2 during registration.
  
Bringing the whole system into full PCI DSS compliance is rather a resource-consuming task that can hardly be completely implemented by small and medium businesses because it stipulates that the compliance must cover all components of the system. This gives rise to a common misconception about PCI DSS that is that the requirements must be met across all applications in the payment transaction flow without exception. In reality, the standard only applies to the components that store, transmit and process cardholder data, and is not applicable to other components if they are logically isolated. Therefore, a common practice is to take a web store itself out of PCI DSS scope (i.e. do not allow it to collect, store and transmit cardholder data) and arrange certified third-party services and providers that do have adequate resources to ensure full PCI DSS compliance of their products and services: compliant hosting provider, compliant payment application and payment gateway, etc.
+
Asking for credit card data during registration must be disabled as shown in the picture below.
  
== Does X-Cart comply to PCI DSS? ==
+
: [[Image:x-paymentsconnector 01.png|640px]]
  
Due to its complex and extensive architecture, X-Cart is not going to qualify for PCI DSS compliance. This would significantly slow down the software production and improvement as each new release and update would require recurring certification. Another reason for not certifying X-Cart is that the software is delivered with 100% open code (i.e. is fully customized) and a great amount of third-party add-on modules that are always a matter of potential vulnerabilities and back doors.
+
=== Disable storing credit card data in X-Cart database ===
  
Instead, X-Cart 4.3.x is integrated with the X-Payments payment application, which has qualified for PCI DSS compliance. X-Payments can safely collect, store and transmit cardholder data to a payment gateway and does not use X-Cart resources. Besides, the compact and virtually closed architecture of X-Payments reduces a chance of a bug and makes it impossible to hack into the module through a companion application, including X-Cart.
+
If forced, X-Cart can store valuable credit card data in an encrypted database. This is controlled via three variables in the main configuration file <tt><u><xcart_dir>/config.php</u></tt>. You must set the value of all the three variables to false (which is the default setting), and no credit card will be stored in the X-Cart database then.
  
Thus, to ensure PCI DSS compliance of an X-Cart based store you need to use it together with the X-Payments application as well as configure X-Cart in a way that will take X-Cart out of PCI DSS scope.
+
<source>
  
{{Note1|Important: Bringing X-Cart into compliance with PCI DSS does not make your web store fully compliant. And you must make sure that other components of your system that collects, stores, transmits and processes valuable credit card data comply with the standard's requirements.}}
+
# file <xcart_dir>/config.php
  
 +
$store_cc = false;
 +
$store_cvv2 = false;
 +
</source>
  
== Adjusting X-Cart Configuration ==
+
{{Note|It is important to disable storing credit card data. X-Cart is not PA-DSS certified and can not be configured to meet PCI DSS when credit card data storing is enabled.}}
  
Follow the steps below to take X-Cart out of PCI DSS scope.
+
=== Remove historical data ===
  
'''1. Collecting credit card data'''
+
Removing historical data, such as card validation codes and other credit card information after the orders using it have been processed and completed, is absolutely necessary for PCI DSS compliance. To remove this data, use X-Cart's [[X-Cart:Advanced_Tools#Remove Credit Card Information |Remove credit card information]] tool.
  
If forced, X-Cart can collect customers' credit card details during registration. This functionality is controlled via two check boxes in the section General Settings / General Options of the Admin area:
+
=== Disable Subscriptions module ===
  
* Do not ask customers to enter CC information while getting registered: Defines if a customer will be asked to provide credit card details during registration;
+
When the built-in X-Cart module [[X-Cart:Subscriptions|Subscriptions]] is enabled, X-Cart keeps credit card data stored in its database. Follow these steps to disable the module:
* Display CVV2 input box on the registration form and at the last stage of checkout if Manual CC processing is used...: Defines if a customer will be asked to provide CVV2 during registration.
 
  
Asking for credit card data during registration must be disabled as shown in the picture below.
+
# Log in to the X-Cart Admin area.
 +
# Go to the section <u>Modules</u> (<u>Administration module -> Modules</u>)
 +
# Deselect the check box for the entry '''Subscriptions'''.
 +
# Click the '''Update''' button at the bottom of the page to save the changes.
 +
 
 +
=== Secure processing and transmission of cardholder data ===
 +
 
 +
The easiest way to deal with PCI DSS compliance is to use [[X-Cart:FAQs#What_is_.22web-based.22_payment_gateway.3F | web-based payment gateways]] to eliminate the need for customers to enter credit card details on your web-site and thus reduce efforts on meeting PCI DSS compliance requirements. X-Cart is secure and supports quite a number of such “offsite” payment gateways like Paypal Express Checkout, Google Checkout, Checkout by Amazon, WorldPay, 2Checkout, Authorize.net SIM and many more.
 +
 
 +
If your store has a [[X-Cart:FAQs#What_is_.22background.22_payment_gateway.3F | background payment method]] enabled, customers input their credit card data on the X-Cart side at the final step of checkout. It is highly recommended to disable background payment methods using the <u>Settings menu -> Payment methods</u> section of the X-Cart admin back-end. In this case you'll have to fill out the simplest of PCI Self-Assessment Questionnaires ([https://www.pcisecuritystandards.org/pdfs/pci_saq_a.pdf SAQ A]).
 +
 
 +
If you want credit card data to be entered on X-Cart side, it's necessary to make sure that your store is implemented in a PCI compliant hosting environment and your X-Cart is set up in a PCI compliant manner, i.e. you use a PA-DSS certified software to process credit card payments. You'll have to fill out PCI [https://www.pcisecuritystandards.org/pdfs/pci_saq_c.pdf SAQ C] in this case.
 +
 
 +
==Configuring X-Cart to meet PCI DSS with X-Payments application==
 +
 
 +
{{XC version|version=4.1.12|comment=or above}}
 +
=== Why use X-Payments ===
 +
 
 +
[https://www.x-cart.com/x-payments.html X-Payments] is designed for merchants who accept credit card payments using [[X-Payments:User_manual#Appendix_A._Supported_payment_gateways|background payment gateways]]. Being a PA-DSS certified solution, X-Payments helps merchants to meet PCI standards. Connecting X-Payments to X-Cart saves merchants time and money when it comes to complying with PCI DSS.
 +
 
 +
=== Understanding PA-DSS ===
 +
 
 +
If a software application stores, transmits or processes sensitive cardholder data the application must
 +
be PA-DSS compliant.
 +
* Requires all payment applications be certified by an approved Payment Application-Qualified Security Assessor (PA-QSA). PA-QSAs are third-party security auditors, certified by the PCI Security Standards Council (PCI SCC) to verify that payment applications meet specified security standards
 +
* PA-DSS payment applications must be implemented in a PCI DSS compliant environment
 +
 
 +
===Becoming compliant is easy===
 +
 
 +
Qualiteam has helped to make PCI compliance easier for merchants by separating the X-Payments application from the X-Cart platform. There are two important benefits of this design:
 +
* Only the actual payment application has to be certified and compliant - rather than the entire platform
 +
* X-Cart can be upgraded and customized without affecting the overall PCI compliance provided by X-Payments
  
[[Image:x-paymentsconnector_01.png|center|640px]]
+
Examine the following pages on how to setup secure X-Cart with X-Payments in a PCI DSS manner:
  
'''2. Storing credit card data in X-Cart database'''
+
* [[X-Payments:Introduction]]
 +
* [[X-Cart:X-Payments Connector]]
 +
* [[X-Payments:PA-DSS implementation guide]]
  
If forced, X-Cart can store valuable credit card data in an encrypted database. This functionality is controlled via three variables in the main configuration file <tt><xcart_dir>/config.php</tt>:
+
To become compliant [https://www.pcisecuritystandards.org/pdfs/pci_saq_c.pdf SAQ C] must be completed.
  
<pre>
+
==Passing network security scans==
* $store_cc;
 
* $store_ch;
 
* $store_cvv2.
 
</pre>
 
  
You must set the value of all the three variables to false (which is the default setting), and no credit card will be stored in the X-Cart database then.
+
Once the software is configured properly you (or your service provider / webhosting) must locate an Approved Scanning Vendor (ASV), who will conduct a network scan to ensure that the safety requirements highlighted above are actually functional and not just placeholders in the self-assessment questionnaire required for [[PCI_FAQs#What_are_the_PCI_compliance_levels_and_how_are_they_determined.3F|Level 2, 3 and 4 merchants and service providers]].
  
<pre>
+
The purpose of the scan is to locate vulnerabilities in the system that can lead to data breaches and diagnose & recommend measures to fix these problems. The ASV submits a report to the PCI highlighting the potential security holes and the level of vulnerability from 1-5 (but this time, a Level 5 is the highest point of vulnerability). In case of a [[PCI_FAQs#What_are_the_PCI_compliance_levels_and_how_are_they_determined.3F|level 1 merchant]], an on site assessment is also mandated by the PCI, to be conducted by a Qualified Security Assessors (QSAs).
# file <xcart_dir>/config.php
 
  
$store_cc = false
+
* [https://www.pcisecuritystandards.org/pdfs/pci_qsa_list.pdf List of approved QSAs]
 +
* [https://www.pcisecuritystandards.org/pdfs/asv_report.html List of approved ASVs]
  
$store_ch = false
+
==Submitting a self-assessment questionnaire ==
  
$store_cvv2 = false
+
Finally, a self-assessment questionnaire on a prescribed format needs to be submitted to the acquiring bank, which acts as a checklist to ensure that the 12 requirements outlined above have been addressed and met. Consult the [https://www.pcisecuritystandards.org/saq/instructions_dss.shtml#instructions instructions on how to complete the SAQ].
</pre>
 
  
'''3. Removing historical data'''
+
==FAQs==
  
Removing historical data, such as card validation codes and other credit card information after the orders using it have been processed and completed, is absolutely necessary for PCI DSS compliance. To remove this data use the Summary > Tools section of X-Cart admin back-end.
+
===Does PCI DSS allow to use background payment methods with X-Cart ?===
  
'''4. Using background payment methods'''
+
No, this is not allowed. Since X-Cart is not a PA-DSS certified software you should configure it to avoid transmitting credit card data from your store to payment gateway by:
 +
* disabling [[X-Cart:FAQs#What_is_.22background.22_payment_gateway.3F|background payment methods]] in your store
 +
* or [[#Configuring X-Cart to meet PCI DSS with X-Payments application]]
  
With a background payment method, customers input their credit card data on the side of X-Cart at the final step of checkout. Since X-Cart itself is taken out of PCI DSS scope and does not comply to PCI DSS requirements, you must disable all background payment methods in your store. This does not really mean that you will not be able to use background payment methods to accept payments online: an interface to use such methods is now fully supported by X-Payments, which is PCI DSS compliant.
+
===Is it allowed to store cardholder data (credit card numbers, expiration info, etc) in X-Cart database ?===
  
To disable background payment methods, use the Payment methods section of the X-Cart Admin area (Settings menu -> Payment methods).
+
As per [https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf PCI DSS recommendations], you should avoid storing cardholder data electronically unless there is a legitimate business reason to do it; moreover sensitive authentication data (for example CVC2/CVV2) MUST NOT be stored at all. When using X-Cart you should [[#Disable collecting of credit card data at user registration|disable collecting and storing of credit card data]].
  
'''5. Using Subscriptions module'''
+
==See also==
  
When the built-in X-Cart module Subscriptions is enabled, X-Cart keeps credit card data in its database, which is prohibited by PCI DSS. To take X-Cart out of PCI DSS scope completely, you must disable the module.
+
* [[X-Cart:Store Security]]
 +
* [[PCI FAQs]]
 +
* [https://www.pcisecuritystandards.org PCI Security Standards Council website]
 +
* [https://www.braintreepaymentsolutions.com/assets/308/PCI-Compliance.pdf Braintree PCI DSS compliance Quick Guide]
  
''To disable the module:''
 
  
# Log in to the X-Cart Admin area.
 
# Go to the section Modules (Administration module -> Modules)
 
# Deselect the check box for the entry X-Payments Connector.
 
# Click the '''Update''' button at the bottom of the page to save the changes.
 
  
[[Category:X-Cart user manual]]
+
{{pdf single}}

Latest revision as of 18:10, 22 July 2020

Redirect to:

X-Cart 4.0or above

PCI Compliance is increasingly important to all online store owners, and X-Cart can be implemented to meet this standard. Follow the steps when implementing X-Cart in a PCI compliant manner.

About PCI DSS

PCI DSS stands for Payment Card Industry Data Security Standard, which is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.

PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.

Build and Maintain a Secure Network
  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
  • Requirement 12: Maintain a policy that addresses information security

To get familiar with aspects of implementing PCI DSS please study the Braintree PCI DSS compliance Quick Guide

Configuring X-Cart to meet PCI DSS (cardholder data is not stored)

Disable collecting of credit card data at user registration

If forced, X-Cart can collect customers' credit card details during registration. This is controlled via two check boxes in the section General Settings / General Options of the Admin area:

  • Do not ask customers to enter CC information while getting registered: Defines if a customer will be asked to provide credit card details during registration;
  • Display CVV2 input box on the registration form and at the last stage of checkout if Manual CC processing is used...: Defines if a customer will be asked to provide CVV2 during registration.

Asking for credit card data during registration must be disabled as shown in the picture below.

X-paymentsconnector 01.png

Disable storing credit card data in X-Cart database

If forced, X-Cart can store valuable credit card data in an encrypted database. This is controlled via three variables in the main configuration file <xcart_dir>/config.php. You must set the value of all the three variables to false (which is the default setting), and no credit card will be stored in the X-Cart database then.

# file <xcart_dir>/config.php

$store_cc = false;
$store_cvv2 = false;
Note: It is important to disable storing credit card data. X-Cart is not PA-DSS certified and can not be configured to meet PCI DSS when credit card data storing is enabled.

Remove historical data

Removing historical data, such as card validation codes and other credit card information after the orders using it have been processed and completed, is absolutely necessary for PCI DSS compliance. To remove this data, use X-Cart's Remove credit card information tool.

Disable Subscriptions module

When the built-in X-Cart module Subscriptions is enabled, X-Cart keeps credit card data stored in its database. Follow these steps to disable the module:

  1. Log in to the X-Cart Admin area.
  2. Go to the section Modules (Administration module -> Modules)
  3. Deselect the check box for the entry Subscriptions.
  4. Click the Update button at the bottom of the page to save the changes.

Secure processing and transmission of cardholder data

The easiest way to deal with PCI DSS compliance is to use web-based payment gateways to eliminate the need for customers to enter credit card details on your web-site and thus reduce efforts on meeting PCI DSS compliance requirements. X-Cart is secure and supports quite a number of such “offsite” payment gateways like Paypal Express Checkout, Google Checkout, Checkout by Amazon, WorldPay, 2Checkout, Authorize.net SIM and many more.

If your store has a background payment method enabled, customers input their credit card data on the X-Cart side at the final step of checkout. It is highly recommended to disable background payment methods using the Settings menu -> Payment methods section of the X-Cart admin back-end. In this case you'll have to fill out the simplest of PCI Self-Assessment Questionnaires (SAQ A).

If you want credit card data to be entered on X-Cart side, it's necessary to make sure that your store is implemented in a PCI compliant hosting environment and your X-Cart is set up in a PCI compliant manner, i.e. you use a PA-DSS certified software to process credit card payments. You'll have to fill out PCI SAQ C in this case.

Configuring X-Cart to meet PCI DSS with X-Payments application

X-Cart 4.1.12or above

Why use X-Payments

X-Payments is designed for merchants who accept credit card payments using background payment gateways. Being a PA-DSS certified solution, X-Payments helps merchants to meet PCI standards. Connecting X-Payments to X-Cart saves merchants time and money when it comes to complying with PCI DSS.

Understanding PA-DSS

If a software application stores, transmits or processes sensitive cardholder data the application must be PA-DSS compliant.

  • Requires all payment applications be certified by an approved Payment Application-Qualified Security Assessor (PA-QSA). PA-QSAs are third-party security auditors, certified by the PCI Security Standards Council (PCI SCC) to verify that payment applications meet specified security standards
  • PA-DSS payment applications must be implemented in a PCI DSS compliant environment

Becoming compliant is easy

Qualiteam has helped to make PCI compliance easier for merchants by separating the X-Payments application from the X-Cart platform. There are two important benefits of this design:

  • Only the actual payment application has to be certified and compliant - rather than the entire platform
  • X-Cart can be upgraded and customized without affecting the overall PCI compliance provided by X-Payments

Examine the following pages on how to setup secure X-Cart with X-Payments in a PCI DSS manner:

To become compliant SAQ C must be completed.

Passing network security scans

Once the software is configured properly you (or your service provider / webhosting) must locate an Approved Scanning Vendor (ASV), who will conduct a network scan to ensure that the safety requirements highlighted above are actually functional and not just placeholders in the self-assessment questionnaire required for Level 2, 3 and 4 merchants and service providers.

The purpose of the scan is to locate vulnerabilities in the system that can lead to data breaches and diagnose & recommend measures to fix these problems. The ASV submits a report to the PCI highlighting the potential security holes and the level of vulnerability from 1-5 (but this time, a Level 5 is the highest point of vulnerability). In case of a level 1 merchant, an on site assessment is also mandated by the PCI, to be conducted by a Qualified Security Assessors (QSAs).

Submitting a self-assessment questionnaire

Finally, a self-assessment questionnaire on a prescribed format needs to be submitted to the acquiring bank, which acts as a checklist to ensure that the 12 requirements outlined above have been addressed and met. Consult the instructions on how to complete the SAQ.

FAQs

Does PCI DSS allow to use background payment methods with X-Cart ?

No, this is not allowed. Since X-Cart is not a PA-DSS certified software you should configure it to avoid transmitting credit card data from your store to payment gateway by:

Is it allowed to store cardholder data (credit card numbers, expiration info, etc) in X-Cart database ?

As per PCI DSS recommendations, you should avoid storing cardholder data electronically unless there is a legitimate business reason to do it; moreover sensitive authentication data (for example CVC2/CVV2) MUST NOT be stored at all. When using X-Cart you should disable collecting and storing of credit card data.

See also



PDF button.png This article can be downloaded as a PDF file