Is osCommerce PCI Compliant?

June 9, 2009 osCommerce

PCI Compliance is all about complying with the PCI DSS guidelines set out by the Major Credit Card vendors to ensure secure handling of credit card data.   We recommend you read the Quick Reference Guide.   And while it is not (yet) law, it is part of your Merchant Account agreement with each of the CC vendors you deal with that you do follow them.  First you have to handle credit card securely.  Second you have to prove you do. The level of proof depends on your “Merchant Level”.

PCI DSS Guidelines

The guidelines include 12 key requirements for organisations that accept or processes card payments:

  1. Install and maintain a firewall configuration to protect data
  2. Do not use vendor-supplied defaults for passwords or other security parameters
  3. Protect stored data
  4. Encrypt the transmission of cardholder data and sensitive information
  5. Use and regularly update anti-virus software
  6. Develop and maintain securer systems and applications
  7. Restrict access to data by business need-to-know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security

These requirements apply to all organisations that store, transmit or process card data.

Compliance

The first point to note is that while the guidelines are “generic” in nature, each vendor still has their own specific guidelines and you need to familiarize yourself with each one (see list below).  
The second is that a lot depends on  how many transactions you process a year as to how you need to prove compliance with certain requirements.  And again, vendors only care about how many of their own transactions you process each year. For example, Visa specifies “Visa transactions”.  They don’t care how many MasterCard transactions you do, just how many you do with Visa.  Same applies to all the others. 

Merchant Levels

The guidelines often refer to Merchant Levels. However only VISA, MasterCard and AMEX classify merchants by Level.  JSB and Discover have their own method and you need to look at their sites to determine what they are if you accept these cards.
For VISA and MasterCard, most users of osCommerce come under the Level 4 Merchant category because they are micro-small business doing less than 20,000 transaction per year online.  Note that is the number of orders per year not the monetary value of the orders.  20,000 transactions equals about 55 orders a day.  However there is a growing number moving into the Level 3 Merchant category which is up to 1,000,000 transactions per year.  Again, note, these are a per Credit Card company benchmark.  Not all transactions. So you can do 20,000 VISA transactions and 20,000 Mastercard transactions and still be level 4.  AMEX has no level 4.  If you do under 50,000 transaction you are Level 3.
But remember, Merchant Level has nothing to so with handling cards securely. It is about proof of compliance. It is all about how your prove you what you do.  And we’ll talk about that in another post. Let’s just look at the processing of cards.

Secure Credit Card Handling

There are two ways for osCommerce to accept Credit Cards.  On the site itself or using a third party gateway. 

  • Third Party Gateways

Here a large part of the burden of compliance is shifted to the Third Party. All you have to do is:

  1.  
    1. Make sure pages handling secure information, e.g. Login and Account pages run under SSL
    2. Make sure that no credit card information is actually stored in your database (you need to check because some CC Payment Modules seem to do this even when they do not need to)
    3. Make sure that your site code is secure, i.e. no-one can hack it to syphon credit card details on route to the third party gateway
  • Manual Payments

A lot of sites cannot process cards online because they don’t know the total order amount or there is to be long delay between order and shipment.  These sites collect the Credit Card data themselves and store it in their own database for later retrieval and processing using a virtual terminal or POS machine. In this case the guidelines that apply to Credit Card handling apply.

 

PCI Credit Card Handling
PCI Credit Card Handling

If you use a manual credit card payment module in use then you need to:

  1.  
    1. Make sure pages handling secure information, e.g. Login and Account pages run under SSL
    2. You do not store the 3-4 digit CVV number  anywhere.  If you need the CVV then you can email it to yourself but without ANY other CC data in the email.
    3. You encrypt the  Credit Card Number, the Cardholder Name (Billing Name),  Expiration Date, Card Service (e.g. MasterCard) when you store it
    4. In Admin, you access any page showing the CC details under SSL
    5. You do not show the CC details to the Customer and, if for any reason you do so, it is under SSL and the CC details are masked (*)
    6. You permanently mask or remove the CC number as soon as you have processed the card so they can no longer be seen in Admin or no longer in the database.   
    7. You need to control who has access to Admin.  Each user has to have a unique userid and password.  If you are using .htaccess file that is no longer acceptable. You need another system such as Admin Access Levels or upgrade to osCommerce RC1+ to assign a unique userid/password to each person accessing Admin.
    8. Make sure that your site code is secure, i.e. no-one can hack it to syphon credit card details on route to the third party gateway. First, you need to use reputable companies/people to maintain your site code.  Second you need to lock down important programs such as checkout and payment modules so they cannot be changed without your permission. Third, you need to monitor code changes using a code monitoring tools. 

(*) Masking means that you hide the number using special characters such as “*.  At most, you leave the first 6 and last 4 number showing. 

Of course you need other non-site processes in place about how you manage cards numbers, access to computers, virus protection of those computers and so on.  But that has nothing to do with osCommerce.
If your site code is not PCI Compliance then contact us and we’ll implement all the changes you need to make osCommerce PCI Compliant.

 Quicklinks:

American Express
Discover Card
JBC International
MasterCard Worldwide
Visa Inc
Visa Europe

Archives

You may also like