Prestashop PCI Compliance certificate

[ceegeeee]

Hello,

 

We are looking to move our ecommerce solution to Prestashop. Our plan is to use Authorize.net as the payment gateway, using either CIM or DPM as the API method so as to avoid storing any cc data.

 

On the Prestashop site, there is a seal denoting their PCI compliance (Features > Security > PCI Compliance section); however, our acquiring bank is requesting a copy of the certificate Prestashop would have received from the PCI Council proving their PCI compliance.

 

I've contacted Prestashop directly to inquire about this, but have had no luck so far. Has anyone else run into this request from their acquiring bank or been able to receive additional documentation from Prestashop regarding their PCI compliance?

 

Thanks in advance for any help/advice.

Cheri

[benjamin utterback]

Hello ceegeeee, you should be able to show your SSL Certificate. That is most likely PCI compliant, as it will have to be in order to work with Authorize.net I believe.

[ceegeeee]

Thanks, Benjamin, but the acquiring bank is looking for something from Prestashop as the software vendor at this point (not to see our SSL certificate).

[benjamin utterback]

I don't really understand why because if a PCI compliant SSL certificate is correctly installed and active on your store, then whatever is powering your store shouldn't matter. An SSL would only be active if the server/software allowed it.

[tomerg3]

Prestashop has nothing to do with PCI compliance, it is the server side / payment module that need to be compliant.

 

If you use the DPN method, then you do not need to be PCI compliant, as no CC info is stored or processed on your site.

If you want to use the AIm method, you would need to have a PCI check done on your server, there are a few companies that offer this service, you can contact authorize.net for a recommendation.

[Dh42]

For most sites, all you need to do is a PCI self check and a free macaffe scan. http://www.authorize.net/resources/pcicompliance/ 20k transactions is 54 a day...

[ceegeeee]

Thanks everyone. I'll take this back to the acquiring bank and see what they say.

[ceegeeee]

Tomer, does your Authorize.net payment module support SIM as well? Acquiring bank is having some trouble with the idea of DPM.

[tomerg3]

No, only AIM and DPN.

 

With DPN, the form with the credit card info is collected is submitted directly the a secure (https) page on the authorize.net server.

[ceegeeee]

That's what I thought, thanks for confirming.

 

They are not liking the fact that the cc data would be entered on a merchant page, not on an Authorize.net page:

 

"In the past, we’ve always required the entry of card information to be performed on a secure page from either a single merchant customized application or PA-DSS/PCI-DSS application, which doesn’t actually happen on with the DPM method."

 

Am trying to explain that we'd have SSL on our server, so the page would be secure. Hoping they will see the light...

 

Any recommendations (you or anyone) on an Authorize.net payment module that does use SIM?

[tomerg3]

Did you point them to the method comparison on the authorize.net site?

 

http://developer.authorize.net/api/compare/

[Dh42]

It sounds like you could possibly need another acquirer, the way that Prestashop handles authorize.net is pretty standard fare.

[ceegeeee]

Alas, I did point them to that. Their response (posted above) was after I sent them links to that info. Dh42, yes, you may be right...but am trying to avoid that, if possible, to lessen the impact on our company's finance team. It's either that or go with a hosted solution (which I'm not super thrilled about) that the acquirer would be happy with...

[Dh42]

I have always taken the stance that if someone is trouble in the beginning they are always going to be trouble. Do you currently accept credit cards? If so what are your yearly tickets?

[ceegeeee]

We do, yes, using our current acquirer and SIM. I don't recall exact numbers, but we fall under Merchant Level 4.

[Dh42]

Hmm, you might call authorize.net directly then.. A three way call if you can swing it.

[gelgel]

Authorize.Net Customer Information Manager (CIM) Module  released

have look at the module below. many benefits and many advanced options

http://addons.prestashop.com/en/payments-gateways-prestashop-modules/17422-authorizenet-customer-information-manager-cim.html