Has anyone been through PCI compliance testing with a SC site?
See
https://www.pcisecuritystandards.org.../pci_dss.shtml
Has anyone been through PCI compliance testing with a SC site?
See
https://www.pcisecuritystandards.org.../pci_dss.shtml
Yes
Thanks,
Jamie
PHP shopping cart software - Squirrelcart
Please rate or review us!
Hotscripts ● PHP Resource Index
Thanks, Jamie. Any details you could share like which version(s) of SC, DSS or any general guidelines for customers going through certification?
While you will probably pass scans with versions as old as 3.0.0, and patched versions of 2.x, I would always recommend running the latest version which is now 3.2.1.
We do quarterly scans via Trustwave.com.
The latest version will pass PCI compliance scans. Your web server is also analyzed in those scans, so your web server needs to be PCI compliant as well in order to pass a scan. It is very common to fail PCI scans due to issues with your web server because the scanning software used for this is constantly updated to look for new vulnerabilities. Most of the issues you will find will be specific to your web server, and it is also very common for you to fail due to false positives. In general, I would assume that you are more likely to fail a scan than pass it. You then address the issues reported, rescan, and usually pass that second time. The next quarter comes around, and you repeat the process. It's a whole lot of fun.
If you have an issue appear in the scan that you believe to be specific to Squirrelcart, report that issue via a helpdesk ticket. If the issue truly is something related to Squirrelcart we will usually have a fix for you within hours.
Now, having said all that....
You do NOT need to have PCI scans done unless you have Squirrelcart configured to collect credit card data on your website. If you are using only PayPal, you do not need to worry about this. If you are using a payment gateway and have the connection method set to "Client side non-secure form POST" you do not need to worry about this, because you are sending the customer to the payment gateway's website to collect card data. PCI compliance only comes into play when you are handling the card data directly.
So, if you want a very easy way to take care of this issue just make sure you aren't collecting card data on your website.
Thanks,
Jamie
PHP shopping cart software - Squirrelcart
Please rate or review us!
Hotscripts ● PHP Resource Index
We are intending to develop some additional tables and .php pages in the database and application to facilitate integration with an e-learning application.
The real fun about developing an integrated application is that we will need to have source code review completed of our custom programming o ensure that there are no compromises in the application either intentionally or unintentionally created.
Does anyone know a good security review resource that they could reply here with - Most of the secuity firms that offer this usually do big projects for big dollars and appear to be overpriced for a small developer like us.
Thanks!
Tom
FloCis Applications Corp
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote
