oscmax 2.0 pci compliance

**basnyd** · 04-15-2008, 07:59 AM

Hi -

Is the oscmax 2.0 pci code compliant? How do I make sure oscMax client sites are PCI compliant? Are there shared hosts that are pci compliant? My clients have in store POS terminals, so they have been manually entering credit card information to process orders. They have also been manually processing and order because initial they don't know the shipping charges when a person places the order.

How have others tackled these issuses? I'm eager to learn.

Thank you,
Barb

**josemanuel** · 04-16-2008, 09:36 AM

Perhaps you can explain what PCI compliant means, for the community enhancement.

**basnyd** · 04-16-2008, 12:09 PM

Originally Posted by josemanuel

Perhaps you can explain what PCI compliant means, for the community enhancement.

Sorry. Payment Card Industry Data Security (PCI DSS) compliance rules are what I'm referring to. It is the rules that businesses have to follow in order to protect customer's credit card information. The rules apply for on line sales as well as store sales. If businesses don't adequately protect a person's credit card information they can be fined.

You can read more here -- PCI Compliance Guide - FAQs and Tips on PCI Compliance or here https://www.pcisecuritystandards.org/

I was wondering what other on line retailers are doing in order to comply with the new regulations.

Barb

**MindTwist** · 04-16-2008, 02:04 PM

Am I the only one who doesn't care a bit about PCI compliance? I do not even know what country you are in, but I had never heard about that before.

Anyway, my customers enter their CC information/details on my bank website and not on mine, and I do not store any data related to their credit card details, so I doubt I should lose my sleep over that...

**basnyd** · 04-16-2008, 04:23 PM

I'm in the US.

The big news story over here is -- pcistuff

The issue is for anyone selling online. What if someone hacks your web site and grabs your customer's credit card information? What if you hold the information to batch process at night? You are at risk while you are holding that information for a few hours. Is your bank's web site secure? Has the bank done everything they can to protect your customer's information?

I'm not trying to start an argument, I'm just interested in how other address the situation.

Barb

**MindTwist** · 04-17-2008, 12:23 AM

My solution is easy, I do not store any credit card information from anyone. Never. In fact customers that pay with payment modules like most CC modules, Paypal, etc, rarely do so on your store. They are redirected from your checkout to whatever page they have to be redirected for the payment, and then come back to your store.

And I would say that that applies to OSC and OSCMAX by default, would that make them PCI compliant?

**BobH** · 04-20-2008, 07:53 AM

Barb,
I'm located in the US and take PCI Compliance very seriously, as failure to do so could be a business-ending mistake. I have one osCmax site and two heavily modified osCommerce sites, and use Authorize.Net as the credit card payment gateway on all three. Here is a brief outline of what I do to maintain PCI Compliance:

1) Do not store ANY customer credit card information on the databases (card numbers, cvv codes, etc.). Using the standard Authorize.Net Consolidated v1.7 payment module included with osCMax 2.0 takes care of this for you, with the transaction details being transmitted directly to Authorize.Net (make sure you use SSL, though).
2) I use ControlScan for regularly scheduled threat scanning of all of my site servers (make sure your webhosting company allows this---I switched from IX Webhosting to WestHost because IX threatened to suspend my accounts because of the external security scans--- when I questioned how their ecommerce customers were supposed to meet the scan requirement for PCI Compliance, the friendly folks at IX told me none of their shared servers were compliant, only their dedicated hosting plans. I ran away as fast as I could....
3) ControlScan also has a full PCI Compliance package that includes the PCI self-test questionaire, compliance report for submittal to your CC processor, etc. It's not cheap, but if you talk to them let them know you're looking at other providers and they'll probably be willing to negotiate on pricing.

I hope this is helpful, and didn't mean to sound like an advertisement for ControlScan or Authorize.Net; I just know they fit the bill.

Bob

**met00** · 04-20-2008, 03:25 PM

1) what Bob said...
2) I use payflo-pro and we DO store NxxxxxxxxxxxNNNN into the local database (so a customer can see what card they used for an order) but other than that, no data is stored locally.
3) authorize verses charge. I charge immediately. My shipping is calculated directly from UPS and/or USPS by the store and has been shown to be about 97% accurate. I do have about 5% of orders where I have to go back and use the gateway interface to manually adjust a charge
4) banks... Once I pass my data on to verisign/paypal it's not my problem Then security is their issue. I managed the secure data while I had it under my control. If they can't manage the data securely, then they have issues, not I.