Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Information and Data Security


sathishhpk

Recommended Posts

Posted

How is the Information and Data security is handled in OSCOMMERCE ? Does it have a guideline or known standard followed ? Is there any best practices or implementation document available ?

Posted

There are two areas of interest here: data transmission security and storage security. The first involves using SSL if harm would be caused by someone listening in on the data transfer between your site and the customer browser. The second is data storage on your site -- could someone get in and easily take a peek at the information? Encrypting data helps, but since it has to be decrypted automatically for use, it won't stop more than a casual snooper. There's also the matter of whether someone could look at data while it's being transferred within your site -- at some point, it has to be "in the clear", and so security depends on physical and remote access controls and the honesty of staff (yours and your host's).

 

SSL should be used to protect signon and credit card information transfer. Its use could be extended to protect customer contact information (shipping address entry, phone number, etc.), or even the entire site. Depending on the legal jurisdiction, there may be laws about how specific customer data needs to be handled and protected. Even if laws permit unencrypted transfer and storage of customer information, use good judgment as to whether the information is sensitive enough that your customers would be uneasy about entering it without SSL, or your storing it unencrypted.

 

Credit cards are another matter. Simply handling them requires PCI-DSS compliance (which includes SSL usage). Don't even think of storing credit card numbers (including CVV/CVV2) unless you are PCI-DSS compliant and have the blessing of financial authorities. Past versions of osC have offered add-ons to email credit card numbers split up among several emails -- don't use those. Don't take credit card numbers for manual processing on an in-store terminal, unless you have permission from your bank and payment gateway to do this.

Posted

Thanks Guys for the quick one. Follow up question, please let me know the steps that needs to be adhered to keep the entire Oscommerce secured from the application perspective. Like Complex Admin password, Protect from SQL Injection etc ...!!

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...