Prestashop PCI DSS Compliant

[magma]

Hi, I don't see Prestashop on the visa list of PCI compliant service providers.

http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf


Yet it states on the Prestashop features section that it is PCI compliant.

http://www.prestashop.com/en/features

Does anyone know for sure if it is PCI compliant or not?

[magma]

bump

Anyone have any info on this?

[mytheory.]

Hi.

I'm not very knowledgeable about this topic, so please take my comments very lightly.

I think the list from your first link (from visa) is a list of the payment processors and gateways that are approved. By payment processor I'm talking about merchant companies that actually handle all the payment transactions, such as firstdata, worldpay, paypal, etc.

I don't think shopping cart programs (opensource at that) would be included in that list since shopping carts like PS doesn't actually process any payments... they use payment modules that link to payment gateways of these processors to actually handle payment data.

But by PCI compliant I think (big think) that PS is referring to the fact that it does not have any vulnerabilies that would cause your system to fail a PCI scan. I don't know how or what the standards are for these major Credit card companies when required to pass a PCI scan and be compliant (I'd imagine a lot more rigorous than most of our servers), but for each of our systems (servers) to be PCI compliant they need to pass a PCI scan.

For the hell of it we recently ran PCI scan of our system and found some vulnerabilities that need to be patched before it would become "compliant." We got a free 1 year service of Comodo's HackerGuardian PCI scan and their HackerProof daily scans for signing up for their EV SSL certificate. So we figured we might as well take advantage of these programs... so for the past couple of days I've been running scans to become compliant. For the daily scans we managed to pass them after 1 day of patching... however, the PCI scan went a little deeper and had more requirements that needed to be patched before it would pass. The set of warnings and holes we got from both scans were similar... but while the daily scan would pass for a low priority warning, the PCI would not.

I should mention that we did not get any hits on running prestashop on our systems, there were no warnings or holes related to our PS setup. So as far as PS being PCI compliant and allowing us to pass our PCI scans and becoming compliant with our CC processor it was a success.

HTH!