Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Meeting current US requirements?


Dalobo

Recommended Posts

I have been looking around the site, but have not found the information I am looking for.

 

Does OSCommerce meet the new strick personal/credit card information standards that the United States now requires? I am refureing to the new PCI standards.

 

Also, does this program calculate shipping live?

 

Thanks!

 

Dalobo

Link to comment
Share on other sites

i suggest you go to http://www.oscommerce.com and browse through the various links there, to learn about the program and see if you feel comfortable with it.

with over 50,000 registered users, that translates to lots of stores, with a good amount in the US and having no problems with credit card transactions.

Link to comment
Share on other sites

Does OSCommerce meet the new strick personal/credit card information standards that the United States now requires? I am refureing to the new PCI standards.

 

This would depend on your payment gateway, server, and your business practice.

 

Also, does this program calculate shipping live?

Yes

Link to comment
Share on other sites

i suggest you go to http://www.oscommerce.com and browse through the various links there, to learn about the program and see if you feel comfortable with it.

with over 50,000 registered users, that translates to lots of stores, with a good amount in the US and having no problems with credit card transactions.

Feeling comfortable with oscommerce is not an issue. I have used it many times and love it. The issue is one of meeting specific security guidelines mandated by credit card companies. The failure of meeting those requirements can mean a fine of up to $500,000 per occurance and loss of a merchant account.

 

From what I currently understand of the guidelines oscommerce does not meet these guidelines by itself. I do believe it does so in those cases where the merchant never sees the credit card information as when all processing is done by a third party card processor who is PCI Compliant. If a merchant uses oscommerce and has the credit card information present on the server for download or printing in an order, they may well be in violation of those guidelines.

 

An individual merchant, unless they have deep pockets, propably cannot meet the guidelines since it requires multiple servers to separate credit card data from the internet, firewalls and a host of other security measures.

 

The guidelines require a "system" of hardware, software and managment protocols to become complient. These would be beyond the reach of most small business.

 

Unless something changes I have begun to advise my clients to be sure they use a third party processor and to cease collecting ANY credit card payments for internal processing.

 

For the "little guy" the PCI guidelines are hard to take because they put a real barrier to supply or to use ecommerce absent some means to separate ourselves from credit card information entirely.

 

 

I am not an expert by a long shot...just trying to learn how to live with something handed to us by hackers who messed things up for everyone by breaking into bank computers. Obviousy CitiCorp can afford to plug leaks. You, I and my small business customers don't have the financial resources to do so.

 

Paul

I'm Paul. We developer in Miami Florida since 1995. Not a PHP programmer...I just muddle through with moderate success !

Link to comment
Share on other sites

A little more research.

 

PCI Compliance guidelines include:

 

------------------ Level 4 -----------

 

Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 6,000,000 Visa transactions per year.

 

No compliance necessary, no deadline.

 

---------------------------------------

 

While this does not make OS Commerce PCI compliant, it probably means it does not need to be compliant for the majority of smaller merchants using OS Commerce.

 

It probably means that if you use a compliant card processor such as PayPal etc. you will be compliant under:

 

------------------ Level 3 -----------

 

Any merchant processing 20,000 to 150,000 Visa e-commerce transactions per year.

 

Must meet certain requirements to comply. Deadline June 30, 2005

 

-------------

 

Using any compliant third party processor and making sure you are never in possession of credit card information via OS Commerce a merchant is probably perfectly safe in using this software. Of course if you also have a brick and mortar store and accept credit cards you have different obligations for protecting credit card information.

 

If your business is such that you keep a credit card on file in order to debit monthly charges etc. I personally suggest you not store such information on any computer connected to the internet. Buy a $299 Dell and use it just for internal bookkeeping etc. to protect your data.

 

------------------------------- NOTE -------------------------

 

 

This is my interpretation and opinions and should not be considered valid legal advice under any circumstance.

I'm Paul. We developer in Miami Florida since 1995. Not a PHP programmer...I just muddle through with moderate success !

Link to comment
Share on other sites

From what I currently understand of the guidelines oscommerce does not meet these guidelines by itself. I do believe it does so in those cases where the merchant never sees the credit card information as when all processing is done by a third party card processor who is PCI Compliant. If a merchant uses oscommerce and has the credit card information present on the server for download or printing in an order, they may well be in violation of those guidelines.

 

Its up to the store owner to decide on their payment gateway so its not a function of OSC to become compliant with anything. The same with SSL if you decide not to use SSL on your checkout then its not because of OSC failed compliance.

Link to comment
Share on other sites

  • 4 months later...

Some banks such as Bank of America are requiring that ALL online merchants meet at leat leavel 2-3 PCI standards. Because of the insane requirements by Visa/MC for multi server and firewall configuring no small mom and pop business can meet this.

 

I imagine 70% or more oscommerce users are using hand terminals to run transactions through by hand, and using oscommerce's standard CC payment method. This requires them to store the CC information on the server in MySQL. That DB has to be seperated from their website. Actually you can't really meet the required guidllines by visa/mc unless you own 2 or more servers. Using a web hosting companies with virtual hosting won't work to meet these policies and therefor 99% of all small e-commerce stores are in violation.

Link to comment
Share on other sites

i know very little about this stuff

 

but can't you split the cc# and have a portion of it emailed to you? (so the entire # never is stored on the database)

 

and unless i'm mistaken, there are some email clients that make use of SSL

Link to comment
Share on other sites

Alas if it was only that simple. You must even have tight security on your perosonal PC at the office AND home, whatever computers access the CC info would be required.

 

Actually I was wrong above about all merchants classifying as 2-3, if you do less then 20k transactions per year you don't have to meet these standards. I'm pushing around 5k myself, I would imagine theres several mom and pop estores that maybe going over that limit. These guideslines for the PCI is insane to meet for the non technical person. And costly for even those who are technically adept.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...