Jump to content

How to make PrestaShop PCI compliant???


datvtran

Recommended Posts

Hi,

I really love how Prestashop function but I am worried that it may not be PCI compliant. I am located in Canada and have it the website hosted in the US. What I am worried about is having to add additional coding to make it PCI compliant. I am not a programmer so I really don't want to pay a arm and a leg to have it PCI compliant. I hope someone on this forum could help me out on this.

Thank you,
Dat

Link to comment
Share on other sites

  • 2 weeks later...

Dat, PCI compliance is mainly based off of your bank requirements and how many credit card transactions you process each year. If you are a level 4 merchant with less that 20,000 CC transactions a year, the requirements are not as strict.

Read the following FAQ for more info:

http://www.pcicomplianceguide.org/pcifaqs.php

You will need to use SSL (I'd suggest 256bit), get a vulnerability site scan every quarter, fill out some assessment forms, and maintain your records. Your bank should be able to give you their requirements. You may not have to do anything but at a minimum you definitely need SSL and the more encryption the better obviously.

I'd be interested to see if anyone has had a prestashop site scanned by one of the more reputable companies like McAfee or Comodo yet?

-ic

Link to comment
Share on other sites

  • 2 weeks later...
In my opinion PCI is a big fake with rules like "do not give your credit card number to everyone", "fix every security issue", "do not open every port in your firewall" and a few others.
PrestaShop is probably already PCI compliant if you use SSL (and it can be done with PS).

Well, IMHO it's a bit more than that and worth the effort. It's got some obvious ones like "don't use factory default passwords" but also important matters such as a seperation of client-data from the webserver, physically (and technically) restricted access to the server containing card-data (if you're storing that, which I'd advise against anyway), etc.

Especially with smaller shops not paying too much attention on data security (heck, most of them host their shop on a shared server with who knows what kind of other websites!) I believe PCI DSS does serve its purpose; beef up security while keeping it realistic for smaller merchants (less stringent requirements if you decide not to save creditcard data and handle under xxx transactions / year, etc.)

(Too bad creditcards are inherently unsafe to begin with, so no matter how securely you store them they can still be a lot of trouble, but that's another discussion... :) )
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...