PCI-DSS or Authorize.net Experience?

[jb2museo]

Anyone have any experience with using Authorize.net with PrestaShop or with making sure the cart is PCI-DSS compliant.

I am under the impression that all that is needed to be done is since PrestaShop doesn't store the credit card information, is to make sure that SSL is enabled and that a legitimate third party is processing the transactions. Can anyone confirm?

[Ion_Cannon]

Anyone have any experience with using Authorize.net with PrestaShop or with making sure the cart is PCI-DSS compliant.

I am under the impression that all that is needed to be done is since PrestaShop doesn't store the credit card information, is to make sure that SSL is enabled and that a legitimate third party is processing the transactions. Can anyone confirm?

Hi jb2, I got my site through PCI-DSS scan with TrustGuard. PCI really has nothing to do with Authorize.net, as long as you have a valid SSL cert, that is fine. They basically just scan the web server itself for known vulnerabilities. If you are using shared hosting, it will never pass because of the Frontpage and a multitude of other issues.

I built my site on a FreeBSD hosting site and had complete control over what was loaded, so I was able to knock out all the vulnerabilities very fast. I use Trust Guard on my site and they use Nessus to scan the site for 30,000 vulnerabilities. So I was happy to pass without much problem.

Let me know if you have any questions.

[jb2museo]

Thanks Ion. This shouldn't be too much of an issue. It's going on a dedicated enterprise redhat install. I do realize that was two separate questions... The authorize.net module is community delivered on the forums and was just wondering if anyone had any experience with it on a production site.

As far as the PCI complaince goes... mainly looking for the minimum requirements I have to get through since the site is going to be on a fairly tight deadline.

[brandonc503]

really about the shared server never passing? i use godaddy shared server.. what if i get my ssl thru them?

[jb2museo]

Brandon, in my opinion, never use GoDaddy. There are plenty of good hosts out there... slicehost, mosso, hostgator (to name a few). Shared hosting should be fine so long as you use an SSL and don't store the credit card numbers or other sensitive information. If you're on shared, I suggest just sticking with Paypal or pay by check payment methods so you don't have to worry about the security as much.

[Ion_Cannon]

really about the shared server never passing? i use godaddy shared server.. what if i get my ssl thru them?

On a shared server they have to enable things that will cause your PCI scan to fail such as Frontpage extensions and such. All those types of vulnerable applications must be turned off for PCI compliancy. But other regular hosting customers need that kind of thing so the whole server usually has to have it on.

Almost everywhere you go for hosting they have plans for PCI compliant hosting, it's more expensive but you will never get a site through PCI scan on a regular shared web hosting server and if you did, I would definitely question the company who is saying you are compliant if so. SSL is only a small part of PCI-DSS. It's all about the web server and the vulnerabilities it may have that could be used to access customer information or credit card information.

[jb2museo]

I would agree except that if you are not storing the credit card or any other sensitive info, and instead having a third party processor take care of that for you... in that case it still shouldn't matter.