jawaRunner Posted November 20, 2011 Share Posted November 20, 2011 Hello! I am new to PrestaShop and have been evaluating the application. I am very impressed with it. I see the application is PCI compliant. Is there anywhere on the site I can learn more about its compliance and server setup requirements or suggest hosts (for PCI compliance)? We are located is the US. Thank you so much for your time and any thoughts you can share. Thank you, Michael Link to comment Share on other sites More sharing options...
taikahn Posted May 6, 2012 Share Posted May 6, 2012 This is basically what I expected. I finally pick a platform, start to really dig in, and its not even *apparently* truly PCI compliant -- has a marketing tagline "pci compliant" -- yet I can find a single pci compliant prestashop hosting environment or set of instructions or even guidelines on how to setup prestashop for compliance. Someone out there help us out? Link to comment Share on other sites More sharing options...
Dh42 Posted May 6, 2012 Share Posted May 6, 2012 What pci compliance rating do you need? Your actual payment processor determines how compliant you have to be. For most people it is just pci level 4. Which means you just have to fill out a form and send it in. There are no audits. This might help a little bit http://www.practicalecommerce.com/articles/1028-PCI-Compliance-Frequently-Asked-Questions Most of my customers tend to go with authorize.net for processing the cards, here are their requirements. They are pretty lax and more than likely you will be in level 4 where you just fill out a self assessment form. http://www.authorize.net/resources/pcicompliance/ As far as pci scan mcafee is one of the more common companies to do it. Every web host should be pci 4 compliant. To make the step to pci 3 the most common things to ask for are the current stable release of php and turning off ftp and using sftp. Any host should be able to tell you what compliance level their servers are at also if you just ask. I would be that some also have specail severs set up that if you tell them you need to be on a pci 3 machine they could handle that request. Here is a link to mcafee's scan just so you can have it. http://www.mcafeesecure.com/us/ Link to comment Share on other sites More sharing options...
taikahn Posted May 7, 2012 Share Posted May 7, 2012 ^nice generalizations. We are level 2. Your "answers" above are elementary. Again... WHERE are the pci compliant prestashop hosts? Not ALL hosts are compliant, for example, the one I use now (powervps.com) --- Where are the instructions for setting up prestashop to retain compliance? Oh wait... that's right, their are neither on this website.... Link to comment Share on other sites More sharing options...
Dh42 Posted May 7, 2012 Share Posted May 7, 2012 Ok, let me be specific. If you are pci level 2 and you do not know these things it is your fault. The shopping cart is not what makes a site pci compliant, it is how your shopping cart works. Here is a list of Visa's pci compliant companies. http://usa.visa.com/download/merchants/cisp-list-of-pcidss-compliant-service-providers.pdf Prestashop is not on that list. Why not? Aren't they pci compliant? Yes, they are pci compliant in the means that they need to be. If you notice that cart maker Volusion is on that list. Let me expound on why they are on the list and Prsetashop is not, yet both are pci compliant. Volusion is cart software just like Prestashop, but the difference with Volusion is they offer credit card processing. Prestashop does not. Hence that they do not need to be pci compliant for the card companies. Prestashop gains its pci compliance by not storing the credit card data, it just transmits it to a secure pci compliant processor. No where in the back office or anywhere on your sever is the credit card information stored. That is what makes it pci compliant. You can use modules that store credit cards for offline processing of payment, but that will make you not compliant. You might be confusing pci compliant with PA-DSS, which if you are Prestashop is not. Why are they not? They do not have to be. As for the hosts that are pci compliant, for most people standard web hosts are compliant enough. If you are processing over 1m transactions a year and you do not know pci compliance, that scares me. You would have to be running dedicated machines for a site that size, so you should either talk to you network admin about the scans. If you are using a managed solution talk to your hosting company. No one out of the box that I can imagine would offer you a pci level 2 system without up charging and it being asked for. tdlr; Prestashop is pci compliant by the nature of not storing credit cards, 99% of all hosts out of the box are pci level 4 compliant because they do not have to do anything to be compliant. Link to comment Share on other sites More sharing options...
Recommended Posts