sathishhpk Posted February 20, 2014 Posted February 20, 2014 How is the Information and Data security is handled in OSCOMMERCE ? Does it have a guideline or known standard followed ? Is there any best practices or implementation document available ?
Jack_mcs Posted February 20, 2014 Posted February 20, 2014 Your question is a little unclear to me but assuming you are referring to your customers data, you should have an ssl certificate installed. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons
MrPhil Posted February 20, 2014 Posted February 20, 2014 There are two areas of interest here: data transmission security and storage security. The first involves using SSL if harm would be caused by someone listening in on the data transfer between your site and the customer browser. The second is data storage on your site -- could someone get in and easily take a peek at the information? Encrypting data helps, but since it has to be decrypted automatically for use, it won't stop more than a casual snooper. There's also the matter of whether someone could look at data while it's being transferred within your site -- at some point, it has to be "in the clear", and so security depends on physical and remote access controls and the honesty of staff (yours and your host's). SSL should be used to protect signon and credit card information transfer. Its use could be extended to protect customer contact information (shipping address entry, phone number, etc.), or even the entire site. Depending on the legal jurisdiction, there may be laws about how specific customer data needs to be handled and protected. Even if laws permit unencrypted transfer and storage of customer information, use good judgment as to whether the information is sensitive enough that your customers would be uneasy about entering it without SSL, or your storing it unencrypted. Credit cards are another matter. Simply handling them requires PCI-DSS compliance (which includes SSL usage). Don't even think of storing credit card numbers (including CVV/CVV2) unless you are PCI-DSS compliant and have the blessing of financial authorities. Past versions of osC have offered add-ons to email credit card numbers split up among several emails -- don't use those. Don't take credit card numbers for manual processing on an in-store terminal, unless you have permission from your bank and payment gateway to do this.
sathishhpk Posted February 21, 2014 Author Posted February 21, 2014 Thanks Guys for the quick one. Follow up question, please let me know the steps that needs to be adhered to keep the entire Oscommerce secured from the application perspective. Like Complex Admin password, Protect from SQL Injection etc ...!!
Recommended Posts
Archived
This topic is now archived and is closed to further replies.