Difference between revisions of "X-Cart:PCI-DSS"

From X-Cart 4 Classic
Jump to: navigation, search
m (About PCI DSS)
Line 9: Line 9:
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
| '''Build and Maintain a Secure Network'''
+
| Build and Maintain a Secure Network
 
|
 
|
 
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data
 
* Requirement 1: Install and maintain a firewall configuration to protect cardholder data
 
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
 
* Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
 
|-
 
|-
| '''Protect Cardholder Data'''
+
| Protect Cardholder Data
 
|
 
|
 
* Requirement 3: Protect stored cardholder data
 
* Requirement 3: Protect stored cardholder data
 
* Requirement 4: Encrypt transmission of cardholder data across open, public networks
 
* Requirement 4: Encrypt transmission of cardholder data across open, public networks
 
|-
 
|-
| '''Maintain a Vulnerability Management Program'''
+
| Maintain a Vulnerability Management Program
 
|
 
|
 
* Requirement 5: Use and regularly update anti-virus software
 
* Requirement 5: Use and regularly update anti-virus software
 
* Requirement 6: Develop and maintain secure systems and applications
 
* Requirement 6: Develop and maintain secure systems and applications
 
|-
 
|-
| '''Implement Strong Access Control Measures'''
+
| Implement Strong Access Control Measures
|  
+
|
 
* Requirement 7: Restrict access to cardholder data by business need-to-know
 
* Requirement 7: Restrict access to cardholder data by business need-to-know
 
* Requirement 8: Assign a unique ID to each person with computer access
 
* Requirement 8: Assign a unique ID to each person with computer access
 
* Requirement 9: Restrict physical access to cardholder data
 
* Requirement 9: Restrict physical access to cardholder data
 
|-
 
|-
| '''Regularly Monitor and Test Networks'''
+
| Regularly Monitor and Test Networks
 
|
 
|
 
* Requirement 10: Track and monitor all access to network resources and cardholder data
 
* Requirement 10: Track and monitor all access to network resources and cardholder data
 
* Requirement 11: Regularly test security systems and processes
 
* Requirement 11: Regularly test security systems and processes
 
|-
 
|-
| '''Maintain an Information Security Policy'''
+
| Maintain an Information Security Policy
 
|
 
|
 
* Requirement 12: Maintain a policy that addresses information security
 
* Requirement 12: Maintain a policy that addresses information security

Revision as of 12:56, 8 February 2010

About PCI DSS

PCI DSS stands for Payment Card Industry Data Security Standard, which is a worldwide information security standard assembled by the major credit card vendors, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was designed to help organizations involved in processing credit card payments online make their payment systems secure from cardholder data fraud.

PCI DSS specifies 12 requirements broken into 6 groups for compliance that apply both to hardware and software parts of the system that is used to collect, store, transmit and process valuable credit card data as well as the human factor.

Build and Maintain a Secure Network
  • Requirement 1: Install and maintain a firewall configuration to protect cardholder data
  • Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data
  • Requirement 3: Protect stored cardholder data
  • Requirement 4: Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
  • Requirement 5: Use and regularly update anti-virus software
  • Requirement 6: Develop and maintain secure systems and applications
Implement Strong Access Control Measures
  • Requirement 7: Restrict access to cardholder data by business need-to-know
  • Requirement 8: Assign a unique ID to each person with computer access
  • Requirement 9: Restrict physical access to cardholder data
Regularly Monitor and Test Networks
  • Requirement 10: Track and monitor all access to network resources and cardholder data
  • Requirement 11: Regularly test security systems and processes
Maintain an Information Security Policy
  • Requirement 12: Maintain a policy that addresses information security

Simplifying PCI DSS compliance

Bringing the whole system into full PCI DSS compliance is rather a resource-consuming task that can hardly be completely implemented by small and medium businesses because it stipulates that the compliance must cover all components of the system. This gives rise to a common misconception about PCI DSS that is that the requirements must be met across all applications in the payment transaction flow without exception. In reality, the standard only applies to the components that store, transmit and process cardholder data, and is not applicable to other components if they are logically isolated. Therefore, a common practice is to take a web store itself out of PCI DSS scope (i.e. do not allow it to collect, store and transmit cardholder data) and arrange certified third-party services and providers that do have adequate resources to ensure full PCI DSS compliance of their products and services: compliant hosting provider, compliant payment application and payment gateway, etc.

It is important to note that while X-Cart is an integral part of the chain in obtaining PCI Compliance, it is necessary to implement X-Cart in a PCI compliant hosting environment. Below there are recommendations on configuring X-Cart to meet the PCI-DSS. For more information on PCI Compliance please visit the PCI Security Standards Council website (https://www.pcisecuritystandards.org)

Configuring X-Cart to meet PCI DSS

PCI Compliance is increasingly important to all online store owners, and X-Cart can be implemented to meet this standard. Follow the steps when implementing X-Cart in a PCI compliant manner.

Disable collecting of credit card data

If forced, X-Cart can collect customers' credit card details during registration. This functionality is controlled via two check boxes in the section General Settings / General Options of the Admin area:

  • Do not ask customers to enter CC information while getting registered: Defines if a customer will be asked to provide credit card details during registration;
  • Display CVV2 input box on the registration form and at the last stage of checkout if Manual CC processing is used...: Defines if a customer will be asked to provide CVV2 during registration.

Asking for credit card data during registration must be disabled as shown in the picture below.

X-paymentsconnector 01.png

Disable storing credit card data in X-Cart database

If forced, X-Cart can store valuable credit card data in an encrypted database. This functionality is controlled via three variables in the main configuration file <xcart_dir>/config.php. You must set the value of all the three variables to false (which is the default setting), and no credit card will be stored in the X-Cart database then.

# file <xcart_dir>/config.php

$store_cc = false
$store_ch = false
$store_cvv2 = false

Remove historical data

Removing historical data, such as card validation codes and other credit card information after the orders using it have been processed and completed, is absolutely necessary for PCI DSS compliance. To remove this data use the Summary > Tools section of X-Cart admin back-end.

Disable background payment methods

With a background payment method, customers input their credit card data on the side of X-Cart at the final step of checkout. Since X-Cart itself is taken out of PCI DSS scope and does not comply to PCI DSS requirements, you must disable all background payment methods in your store. This does not really mean that you will not be able to use background payment methods to accept payments online: an interface to use such methods is now fully supported by X-Payments, which is PCI DSS compliant.

To disable background payment methods, use the Payment methods section of the X-Cart Admin area (Settings menu -> Payment methods).

Disable Subscriptions module

When the built-in X-Cart module Subscriptions is enabled, X-Cart keeps credit card data in its database, which is prohibited by PCI DSS. To take X-Cart out of PCI DSS scope completely, you must disable the module. To disable the module:

  1. Log in to the X-Cart Admin area.
  2. Go to the section Modules (Administration module -> Modules)
  3. Deselect the check box for the entry Subscriptions.
  4. Click the Update button at the bottom of the page to save the changes.