How to make PrestaShop PCI compliant???

[datvtran]

Hi,

I really love how Prestashop function but I am worried that it may not be PCI compliant. I am located in Canada and have it the website hosted in the US. What I am worried about is having to add additional coding to make it PCI compliant. I am not a programmer so I really don't want to pay a arm and a leg to have it PCI compliant. I hope someone on this forum could help me out on this.

Thank you,
Dat

[Damien Metzger]

In my opinion PCI is a big fake with rules like "do not give your credit card number to everyone", "fix every security issue", "do not open every port in your firewall" and a few others.
PrestaShop is probably already PCI compliant if you use SSL (and it can be done with PS).

[datvtran]

Hi Damien,

Thank you for replying regarding this issue. Would you be able to further assist me on what other measures I would need to do to secure PrestaShop besides having the SSL on the checkout?

Thank you,

Dat

[Ion_Cannon]

Dat, PCI compliance is mainly based off of your bank requirements and how many credit card transactions you process each year. If you are a level 4 merchant with less that 20,000 CC transactions a year, the requirements are not as strict.

Read the following FAQ for more info:

http://www.pcicomplianceguide.org/pcifaqs.php

You will need to use SSL (I'd suggest 256bit), get a vulnerability site scan every quarter, fill out some assessment forms, and maintain your records. Your bank should be able to give you their requirements. You may not have to do anything but at a minimum you definitely need SSL and the more encryption the better obviously.

I'd be interested to see if anyone has had a prestashop site scanned by one of the more reputable companies like McAfee or Comodo yet?

-ic

[Robert G.]

In my opinion PCI is a big fake with rules like "do not give your credit card number to everyone", "fix every security issue", "do not open every port in your firewall" and a few others.
PrestaShop is probably already PCI compliant if you use SSL (and it can be done with PS).

Well, IMHO it's a bit more than that and worth the effort. It's got some obvious ones like "don't use factory default passwords" but also important matters such as a seperation of client-data from the webserver, physically (and technically) restricted access to the server containing card-data (if you're storing that, which I'd advise against anyway), etc.

Especially with smaller shops not paying too much attention on data security (heck, most of them host their shop on a shared server with who knows what kind of other websites!) I believe PCI DSS does serve its purpose; beef up security while keeping it realistic for smaller merchants (less stringent requirements if you decide not to save creditcard data and handle under xxx transactions / year, etc.)

(Too bad creditcards are inherently unsafe to begin with, so no matter how securely you store them they can still be a lot of trouble, but that's another discussion... )