Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

PA-DSS & PCI COMPLIANT...


Drapeta

Recommended Posts

Posted

Hi! One of provider needs from me:

 

Data Security Standards Compliance Information

Is your software PA-DSS compliant?*: Yes No

If Not, when do you expect to be PA-DSS compliant:

Is your software PCI compliant?*: Yes No

If Not, when do you expect to be PCI compliant:

 

What I must to do? Has OSC PA-DSS & PCI COMPLIANT? What does it mean? THANKS!

Posted

Tom,

 

PCI DSS compliance varies by country/state/province. You will need to check your local requirements to determine what needs to be changed to ensure your site is PCI DSS compliant.

 

Out of the box, OSC is not completely compliant so it will take some changes to make it compliant, again depending on your local requirements.

 

 

Chris

Posted

Search for PCI-DSS on this forum. You'll see lots of discussion on attaining it and keeping it. What is the situation here? Basically, you need to worry about it only if you use a merchant account/payment gateway to take credit cards (also some third party systems that stay on your site to take credit card numbers, rather than going offsite). If you use a third party such as PayPal to accept credit cards (and sends the customer offsite to them to enter their credit card), generally you don't have to worry about PCI-DSS. You should have SSL protection on pages handling customer information (name, address, email, etc.), but beyond that it varies by country as to how much effort you need to protect this information.

 

PCI-DSS is much more than using SSL when handling sensitive information. It also looks at encryption of stored information, access controls, and data center security. It's much more than just the store software, it requires audits, and it's expensive. If you're lucky, it will pertain only to handling credit card numbers, and you can avoid the expense by switching to a third party payment system. So the first thing to find out is why your "provider" is interested in PCI-DSS. If it's just a merchant account/payment gateway, and there are no additional government regulations for increased data security, simply switching to a third party payment system could do the job for you. If you are a small business, it could work out to be cheaper too.

  • 2 weeks later...
Posted

> Search for PCI-DSS on this forum

 

I was trying to search "PCI-DSS" but search page gave me a bunch of various unrelated links. Later I figured out it's better to search for "PCI DSS" (without a dash) and found this thread.

 

 

 

 

> Is your software PA-DSS compliant?

 

This is needed when a customer enters credit card right on your web-site for paying.  The cheapest and easiest is to switch to a service like Paypal EC, Google Checkout, WorldPay or 2Checkout. However, my clients insist they need to customers to enter credit cards on their web-site. They say "it is more professional". I am sure using a payment method when a customer input credit card on payment gateway's secure page is good enough, but customers do not agree with that. Is there a PA-DSS solution for OsC?

 

 

Posted

If your client insists that staying "on site" to enter credit card numbers is "more professional", they'd better be ready and willing to shell out lots of cash to get the necessary certifications and audits done. It's not so much anything that osC has to do (other than enabling SSL usage) as much as the stuff outside of osC -- physical and logical security for customer financial information (credit card numbers), including proper encryption of data transmissions and storage, and control of physical access to the server. Generally it's not worth the added expense and hassle, unless the client is already large enough that a payment gateway/merchant account is considerably cheaper to run than paying per-transaction fees to a third party payment system.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...